CVE-2013-5664

PAN-OS < 4.1.13 and 5.0.x < 5.0.6 - Cross-Site Scripting via Web-Based Device-Management API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5664. PoCs published by phusion.

AI-analyzed exploit summary This repository demonstrates CVE-2012-5664, a SQL injection vulnerability in Rails applications. The PoC includes a Rails app with a vulnerable controller that uses `find_by_name` with unsanitized user input, allowing SQL injection.

Description

Cross-site scripting (XSS) vulnerability in the web-based device-management API browser in Palo Alto Networks PAN-OS before 4.1.13 and 5.0.x before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via crafted data, aka Ref ID 50908.

Exploits (1)

nomisec WORKING POC 2 stars
by phusion · poc
https://github.com/phusion/rails-cve-2012-5664-test

This repository demonstrates CVE-2012-5664, a SQL injection vulnerability in Rails applications. The PoC includes a Rails app with a vulnerable controller that uses `find_by_name` with unsanitized user input, allowing SQL injection.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2012-5664)
No auth needed
Prerequisites: A vulnerable Rails application with dynamic finders exposed to user input
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Various Sources x_refsource_confirm
https://security.paloaltonetworks.com/CVE-2013-5664

Scores

EPSS 0.0064
EPSS Percentile 70.7%

Details

CWE
CWE-79
Status published
Products (29)
paloaltonetworks/pan-os 4.0.0
paloaltonetworks/pan-os 4.0.1
paloaltonetworks/pan-os 4.0.2
paloaltonetworks/pan-os 4.0.3
paloaltonetworks/pan-os 4.0.4
paloaltonetworks/pan-os 4.0.5
paloaltonetworks/pan-os 4.0.6
paloaltonetworks/pan-os 4.0.7
paloaltonetworks/pan-os 4.0.8
paloaltonetworks/pan-os 4.1.0
... and 19 more
Published Aug 31, 2013
Tracked Since Feb 18, 2026