Vulnerability CVE-2018-10143


Published: 2018-12-11

Description:
The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier may allow an unauthenticated attacker with remote access to run system level commands on the device hosting this service/application.

Type:

CWE-284

(Improper Access Control)

Vendor: Paloaltonetworks
Product: Expedition 
Version: 1.0.107;

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/106174
https://doddsecurity.com/234/command-injection-on-palo-alto-networks-expedition/
https://securityadvisories.paloaltonetworks.com/Home/Detail/138

Related CVE
CVE-2019-1574
Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition Migration tool 1.1.12 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the Devices View.
CVE-2019-1573
GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS may allow an attacker to access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.
CVE-2019-1567
The Expedition Migration tool 1.1.6 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings.
CVE-2019-1572
PAN-OS 9.0.0 may allow an unauthenticated remote user to access php files.
CVE-2019-1571
The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the RADIUS server settings.
CVE-2019-1570
The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the LDAP server settings.
CVE-2019-1569
The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings for account name of admin user.
CVE-2019-1566
The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML.

Copyright 2019, cxsecurity.com

 

Back to Top