Cross-Site Scripting in the Management Web Interface (PAN-SA-2017-0004)

Last revised: 02/21/2017

Summary

A persistent cross-site scripting (XSS) vulnerability exists in the management web interface (ref # PAN-66838 / CVE-2017-5584).

Severity: Medium

PAN-OS contains a post-authentication vulnerability that may allow for a persistent cross-site scripting (XSS) attack of the management web interface. Successful exploitation of this issue may allow an attacker to inject arbitrary Java script or HTML.

Products Affected

PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1.15 and earlier, PAN-OS 7.0.12 and earlier, PAN-OS 7.1.7 and earlier

Available Updates

PAN-OS 6.1.16 and later, PAN-OS 7.0.13 and later, PAN-OS 7.1.8 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

Acknowledgements

Palo Alto Networks would like to thank Mohamed Keffous for reporting this issue to us.