4.8

CVE-2025-0137

PAN-OS: Improper Neutralization of Input in the Management Web Interface

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.


The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPalo Alto Networks
Produkt Cloud NGFW
Default Statusunaffected
Version All
Version < 6.3.3
Status unaffected
HerstellerPalo Alto Networks
Produkt PAN-OS
Default Statusunaffected
Version 11.2.0
Version < 11.2.5
Status affected
Version 11.1.0
Version < 11.1.8
Status affected
Version 10.2.0
Version < 10.2.13
Status affected
Version 10.1.0
Version < 10.1.14-h14
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.583
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
psirt@paloaltonetworks.com 4.8 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber
CWE-83 Improper Neutralization of Script in Attributes in a Web Page

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.