Last revised: 01/02/2018
A vulnerability exists in PAN-OS Captive Portal that could allow for a cross-site scripting (XSS) attack to be performed against clients viewing the captive portal page when configured in a certain way. (Ref # PAN-85238 / CVE-2017-16878)
PAN-OS 8.0.6-h3 and earlier.
PAN-OS 8.0.7 and later.
Customers not using the Captive Portal function within PAN-OS are not impacted by this vulnerability.
Palo Alto Networks would like to thank Shaun Wheelhouse for reporting this issue to us.