| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as problematic has been found in Palo Alto PAN-OS 4.1.12/5.0.5. Affected by this vulnerability is an unknown functionality of the component API Browser. Executing a manipulation can lead to security check. The attack can be launched remotely. Moreover, an exploit is present. The affected component should be upgraded.
Details
A vulnerability classified as problematic was found in Palo Alto PAN-OS 4.1.12/5.0.5 (Firewall Software). This vulnerability affects an unknown part of the component API Browser. The manipulation with an unknown input leads to a security check vulnerability. The CWE definition for the vulnerability is CWE-358. The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. As an impact it is known to affect integrity.
The weakness was disclosed 01/22/2014 by Jungo Katsuyama with NTT Communications as PAN-SA-2013-0002: as confirmed advisory (Website). The advisory is shared for download at securityadvisories.paloaltonetworks.com. The public release has been coordinated in cooperation with the vendor. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are unknown but an exploit is available. The MITRE ATT&CK project declares the attack technique as T1211. The advisory points out:
A cross-site scripting vulnerability exists in the web-based device management API browser whereby data provided by the user is echoed back to the user without sanitization.
It is declared as highly functional.
Upgrading to version 4.1.13 or 5.0.6 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (90984), SecurityFocus (BID 65423†) and Secunia (SA56679†). The entries VDB-12231, VDB-12233 and VDB-64841 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Security checkCWE: CWE-358
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Highly functional
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: PAN-OS 4.1.13/5.0.6
Timeline
01/22/2014 🔍02/07/2014 🔍
02/07/2014 🔍
02/12/2014 🔍
03/29/2019 🔍
Sources
Vendor: paloaltonetworks.comAdvisory: PAN-SA-2013-0002:
Researcher: Jungo Katsuyama
Organization: NTT Communications
Status: Confirmed
Coordinated: 🔍
GCVE (VulDB): GCVE-100-12232
X-Force: 90984 - Palo Alto Networks PAN-OS API browser cross-site scripting, Medium Risk
SecurityFocus: 65423
Secunia: 56679 - Palo Alto Networks PAN-OS API Browser Cross-Site Scripting Vulnerability, Less Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/12/2014 11:51Updated: 03/29/2019 19:24
Changes: 02/12/2014 11:51 (57), 03/29/2019 19:24 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.