CVE-2016-9149

The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string.

Published: Nov 19, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-9149
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-19

Affected Software
References

Software	From	Fixed in
paloaltonetworks / pan-os	5.0.0	5.0.20
paloaltonetworks / pan-os	5.1.0	5.1.13
paloaltonetworks / pan-os	6.0.0	6.0.15
paloaltonetworks / pan-os	6.1.0	6.1.15
paloaltonetworks / pan-os	7.0.0	7.0.11
paloaltonetworks / pan-os	7.1.0	7.1.6

http://www.securityfocus.com/bid/94401
http://www.securitytracker.com/id/1037379
https://security.paloaltonetworks.com/CVE-2016-9149

Vulnerability Database

289,697

CVE-2016-9149