Session Fixation Vulnerability in GlobalProtect Portal Feature in PAN-OS

Session Fixation Vulnerability in GlobalProtect Portal Feature in PAN-OS

CVE-2020-1993 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

Learn more about our User Device Pen Test.