Cross Site Scripting in PAN-OS Captive Portal (PAN-SA-2017-0031)

Last revised: 01/02/2018


A vulnerability exists in PAN-OS Captive Portal that could allow for a cross-site scripting (XSS) attack to be performed against clients viewing the captive portal page when configured in a certain way. (Ref # PAN-85238 / CVE-2017-16878)

Severity: Medium

Successful exploitation of this issue may allow an attacker to inject arbitrary javascript or HTML.

Products Affected

PAN-OS 8.0.6-h3 and earlier.

Available Updates

PAN-OS 8.0.7 and later.

Workarounds and Mitigations

Customers not using the Captive Portal function within PAN-OS are not impacted by this vulnerability.


Palo Alto Networks would like to thank Shaun Wheelhouse for reporting this issue to us.