CVE-2016-9149

MEDIUM

Palo Alto Networks PAN-OS <7.1.6 - XPath Injection

Title source: llm

Description

The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94401

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037379

[Various Sources] https://security.paloaltonetworks.com/CVE-2016-9149

Scores

CVSS v3 6.5

EPSS 0.0025

EPSS Percentile 47.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-19

Status published

Affected Products (2)

paloaltonetworks/pan-os < 5.0.20

n/a/n/a

Timeline

Published Nov 19, 2016

Tracked Since Feb 18, 2026