CVE-2020-1993

The presence of the GlobalProtect Portal feature in PAN-OS poses a vulnerability, where a new session identifier is not generated following a user's successful login. Consequently, if an attacker gains control over a user's session ID, they can exploit this flaw to launch session fixation attacks. This vulnerability applies to various versions of PAN-OS including all versions of 7.1 and 8.0, as well as versions prior to 8.1.14 for PAN-OS 8.1, and versions earlier than 9.0.8 for PAN-OS 9.0.