XPath Injection

ID PAN-SA-2016-0037
Type paloalto
Reporter Palo Alto Networks Product Security Incident Response Team
Modified 2016-11-17T17:03:00


The Addresses Object parsing function does not properly escape single quotes. (Ref # PAN-55237/92073/CVE-2016-9149) This post-authentication vulnerability could allow XPath manipulation. This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier

Work around: N/A