CVE-2020-1975: 
PAN-OS vulnerability analysis and mitigation

A missing XML validation vulnerability (CVE-2020-1975) was discovered in the PAN-OS web interface affecting Palo Alto Networks PAN-OS software. The vulnerability was disclosed on February 12, 2020, and affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions (Palo Alto).

The vulnerability allows authenticated users to inject arbitrary XML that results in privilege escalation. The issue has been assigned a CVSS v3.1 Base Score of 6.8 (MEDIUM) with the following metrics: Attack Vector: NETWORK, Attack Complexity: LOW, Privileges Required: HIGH, User Interaction: REQUIRED, Scope: UNCHANGED, Confidentiality Impact: HIGH, Integrity Impact: HIGH, Availability Impact: HIGH. The weakness type is classified as CWE-112 Missing XML Validation (Palo Alto).

The successful exploitation of this vulnerability could allow authenticated users to escalate their privileges through arbitrary XML injection in the web interface. This could potentially lead to unauthorized access to system resources and compromise of system security (Palo Alto).

The vulnerability has been fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later versions. As a workaround, access to the web-based management interface of the appliance should be limited strictly to only trusted users, hosts, and networks (Palo Alto).

The issue was discovered during a security assessment performed by a customer, highlighting the importance of customer security assessments in identifying potential vulnerabilities (Palo Alto).