Cross Site Scripting in PAN-OS (PAN-SA-2018-0003)

Last revised: 06/26/2018

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS URL filtering “continue page” (Ref # PAN-OS 90835, CVE-2018-7636). PAN-OS software does not properly validate specific request parameters.

Severity: Medium

Successful exploitation of this issue may allow an attacker to inject arbitrary JavaScript or HTML in specially crafted URLs that link to a URL filtering “continue page” hosted by the firewall.

Products Affected

PAN-OS major release PAN-OS 8.0 is affected (PAN-OS 8.0.10 and earlier). Other PAN-OS major releases are not affected (8.1.x, 7.1.x, 6.1.x).

Available Updates

PAN-OS 8.0.11-h1 and later. PAN-OS major releases 8.1.x, 7.1.x, and 6.1.x are not impacted.

Workarounds and Mitigations

This issue impacts the continue page and admin override page, but does not impact the block page. URL filtering configurations that only use the “block” page but not the continue page or admin override feature are not impacted.

Acknowledgements

Palo Alto Networks would like to thank Ayushman Dutta for reporting this issue.