Cross-Site Scripting in Expedition Migration Tool (PAN-SA-2019-0004)

Last revised: 03/12/2019

Summary

Three cross-site scripting (XSS) vulnerabilities exist in the Palo Alto Networks Migration Tool (“Expedition”). (Ref # MT-926/ CVE-2019-1569; MT-927/ CVE-2019-1570; MT-928, MT-929/ CVE-2019-1571)

Severity: Low

CVE-2019-1569: Successful exploitation of this issue may allow an authenticated attacker to inject arbitrary JavaScript or HTML in the User Mapping settings. CVE-2019-1570: Successful exploitation of this issue may allow an authenticated attacker to inject arbitrary JavaScript or HTML in the LDAP server settings. CVE-2019-1571: Successful exploitation of this issue may allow an authenticated attacker to inject arbitrary JavaScript or HTML in the RADIUS server settings.

Products Affected

Expedition 1.1.8 and earlier. Note that this issue only impacts the Palo Alto Networks Migration Tool (“Expedition”), a tool available from the Palo Alto Networks Live site. This issue does not affect PAN-OS or any other supported product or service. For more information on Expedition, see: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool.

Available Updates

Expedition 1.1.9 and later

Workarounds and Mitigations

N/A

Acknowledgements

Palo Alto Networks would like to thank Sayali Kulkarni of Tenable for reporting these issues.