Ben Nott

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions earlier than 8.1.20-h1 PAN-OS versions earlier than 9.0.14-h3 PAN-OS versions earlier than 9.1.11-h2 PAN-OS versions earlier than 10.0.8 PAN-OS versions earlier than 10.1.3 Prisma Access 2.1 firewalls **Description** An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. **Recommendations** For PAN-OS 8.1 versions earlier than 8.1.20-h1, update to PAN-OS 8.1.20-h1 or later. For PAN-OS 9.0 versions earlier than 9.0.14-h3, update to PAN-OS 9.0.14-h3 or later. For PAN-OS 9.1 versions earlier than 9.1.11-h2, update to PAN-OS 9.1.11-h2 or later. For PAN-OS 10.0 versions earlier than 10.0.8, update to PAN-OS 10.0.8 or later. For PAN-OS 10.1 versions earlier than 10.1.3, update to PAN-OS 10.1.3 or later. As a temporary workaround for Prisma Access 2.1 firewalls, consider restricting access to the CLI until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks Panorama versions PAN-OS 8.1 through PAN-OS 8.1.16 Palo Alto Networks Panorama versions PAN-OS 9.0 through PAN-OS 9.0.10 Palo Alto Networks Panorama versions PAN-OS 9.1 through PAN-OS 9.1.4 **Description** An information exposure issue exists in the Palo Alto Networks Panorama software, revealing the session token of the Panorama web interface administrator to a managed device when the administrator performs a context switch. This allows an attacker to gain privileged access to the Panorama web interface. The attacker requires some knowledge of managed firewalls to exploit this issue. **Recommendations** For versions PAN-OS 8.1 through PAN-OS 8.1.16, update to PAN-OS 8.1.17 or later. For versions PAN-OS 9.0 through PAN-OS 9.0.10, update to PAN-OS 9.0.11 or later. For versions PAN-OS 9.1 through PAN-OS 9.1.4, update to PAN-OS 9.1.5 or later.

Name of the Vulnerable Software and Affected Versions: PAN-OS versions earlier than 8.1.16 PAN-OS versions earlier than 9.0.9 Description: A reflected cross-site scripting (XSS) issue exists in the PAN-OS management web interface. This could allow a remote attacker to execute arbitrary JavaScript code in an administrator's browser and perform administrative actions if the administrator clicks on a crafted link. The issue is related to insufficient input validation. Recommendations: For PAN-OS versions earlier than 8.1.16, update to version 8.1.16 or later. For PAN-OS versions earlier than 9.0.9, update to version 9.0.9 or later.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS Panorama versions 7.1 Palo Alto Networks PAN-OS Panorama versions 8.0 Palo Alto Networks PAN-OS Panorama versions 8.1 through 8.1.13 Palo Alto Networks PAN-OS Panorama versions 9.0 through 9.0.6 Palo Alto Networks PAN-OS Panorama versions 9.1 through 9.0.9 is not correct, it should be versions prior to 9.1.0, so Palo Alto Networks PAN-OS Panorama versions prior to 9.1.0 **Description** An improper input validation issue in the configuration daemon of Palo Alto Networks PAN-OS Panorama allows a remote unauthenticated user to send a specifically crafted registration request to the device, causing the configuration service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS Panorama services by restarting the device and putting it into maintenance mode. **Recommendations** For versions 7.1, update to a version later than 7.1. For versions 8.0, update to a version later than 8.0. For versions 8.1 through 8.1.13, update to version 8.1.14 or later. For versions 9.0 through 9.0.6, update to version 9.0.7 or later. For versions prior to 9.1.0, update to version 9.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS Panorama versions prior to 7.1.26 Palo Alto Networks PAN-OS Panorama versions prior to 8.1.13 Palo Alto Networks PAN-OS Panorama versions prior to 9.0.6 Palo Alto Networks PAN-OS Panorama versions prior to 9.1.1 Palo Alto Networks PAN-OS Panorama version 8.0 **Description** A cleartext transmission of sensitive information issue in Palo Alto Networks PAN-OS Panorama discloses an authenticated PAN-OS administrator's PAN-OS session cookie. When an administrator issues a context switch request into a managed firewall with an affected PAN-OS Panorama version, their PAN-OS session cookie is transmitted over cleartext to the firewall. An attacker with the ability to intercept this network traffic between the firewall and Panorama can access the administrator's account and further manipulate devices managed by Panorama. **Recommendations** For versions prior to 7.1.26, update to version 7.1.26 or later. For versions prior to 8.1.13, update to version 8.1.13 or later. For versions prior to 9.0.6, update to version 9.0.6 or later. For versions prior to 9.1.1, update to version 9.1.1 or later. For version 8.0, consider upgrading to a later version of PAN-OS.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions prior to 7.1.26 PAN-OS versions prior to 8.1.12 PAN-OS versions prior to 9.0.6 PAN-OS 8.0 (all versions) **Description** The issue is related to an authentication bypass vulnerability in the Panorama context switching feature, which can allow an attacker with network access to a Panorama's management interface to gain privileged access to managed firewalls. The attacker requires some knowledge of managed firewalls to exploit this issue. This issue does not affect Panorama configured with custom certificates authentication for communication between Panorama and managed devices. **Recommendations** For PAN-OS versions prior to 7.1.26, update to version 7.1.26 or later. For PAN-OS versions prior to 8.1.12, update to version 8.1.12 or later. For PAN-OS versions prior to 9.0.6, update to version 9.0.6 or later. For PAN-OS 8.0, consider upgrading to a newer version of PAN-OS that is not affected by this issue. As a temporary workaround, consider configuring Panorama with custom certificates authentication for communication between Panorama and managed devices to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** PAN-OS for Panorama versions 7.1 through 8.0 PAN-OS for Panorama 8.1 versions prior to 8.1.13 PAN-OS for Panorama 9.0 versions prior to 9.0.7 **Description** The issue is related to an improper restriction of XML external entity reference ('XXE') vulnerability in the Palo Alto Networks Panorama management service. This allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. **Recommendations** For PAN-OS for Panorama versions 7.1 through 8.0, update to a version outside of this range to mitigate the risk. For PAN-OS for Panorama 8.1 versions prior to 8.1.13, update to version 8.1.13 or later. For PAN-OS for Panorama 9.0 versions prior to 9.0.7, update to version 9.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions 7.1 through 8.0 PAN-OS 8.1 versions prior to 8.1.14 PAN-OS 9.0 versions prior to 9.0.7 **Description** An OS Command Injection issue in the PAN-OS management server allows authenticated users to inject and execute arbitrary shell commands with root privileges. **Recommendations** For PAN-OS versions 7.1 through 8.0, update to a version later than 8.0. For PAN-OS 8.1 versions prior to 8.1.14, update to version 8.1.14 or later. For PAN-OS 9.0 versions prior to 9.0.7, update to version 9.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** PAN-OS versions 7.1 PAN-OS versions 8.0 PAN-OS versions 8.1 through 8.1.13 PAN-OS versions 9.0 through 9.0.8 **Description** A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This issue can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file. **Recommendations** For PAN-OS versions 7.1, update to a version later than 7.1. For PAN-OS versions 8.0, update to a version later than 8.0. For PAN-OS versions 8.1 through 8.1.13, update to version 8.1.14 or later. For PAN-OS versions 9.0 through 9.0.8, update to version 9.0.9 or later.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS Panorama versions 7.1 Palo Alto Networks PAN-OS Panorama versions 8.0 through 8.0.20 Palo Alto Networks PAN-OS Panorama versions 8.1 through 8.1.11 Palo Alto Networks PAN-OS Panorama versions 9.0 through 9.0.5 **Description** An external control of path and data issue in the Palo Alto Networks PAN-OS Panorama XSLT processing logic allows an unauthenticated user with network access to the PAN-OS management interface to write attacker-supplied files on the system and elevate privileges. **Recommendations** For versions 7.1, update to a version later than 7.1 to resolve the issue. For versions 8.0 through 8.0.20, update to version 8.0.21 or later to resolve the issue. For versions 8.1 through 8.1.11, update to version 8.1.12 or later to resolve the issue. For versions 9.0 through 9.0.5, update to version 9.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 9.7 PhpWiki versions prior to 1.5.5 **Description** The issue allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin in the Project Wiki component. This occurs because the proc open PHP function is used with a syntax value in its first argument, which can be controlled by an authenticated Tuleap user, including shell metacharacters. For example, a line like '<?plugin SyntaxHighlighter syntax=`c;id`>' can be used to execute the id command. **Recommendations** For Tuleap versions prior to 9.7, update to version 9.7 or later. For PhpWiki versions prior to 1.5.5, update to version 1.5.5 or later. As a temporary workaround, consider disabling the SyntaxHighlighter plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dotCMS versions prior to 3.6.2 **Description** An issue was discovered in the `findChildrenByFilter()` function, which is called by the web-accessible path `/categoriesServlet`. This function performs string interpolation and direct SQL query execution. Although SQL quote escaping and a keyword blacklist were implemented as part of a remediation effort, these controls can be overcome in the case of the `q` and `inode` parameters to the `/categoriesServlet` path. This allows for blind boolean SQL injection vectors in either parameter. The `/categoriesServlet` web path can be accessed remotely and without authentication in a default dotCMS deployment. **Recommendations** For dotCMS versions prior to 3.6.2, update to version 3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/categoriesServlet` path to minimize the risk of exploitation. Avoid using the `q` and `inode` parameters in the affected API endpoint until the issue is resolved.