Cross-Site Scripting (XSS) in PAN-OS External Dynamic Lists (PAN-SA-2019-0001)

Last revised: 01/23/2019


A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS External Dynamic Lists. (Ref. # PAN-106776; CVE-2019-1565)

Severity: Medium

Successful exploitation of this issue may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML.

Products Affected

PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier.

Available Updates

PAN-OS 7.1.22 and later, PAN-OS 8.0.15 and later, and PAN-OS 8.1.6 and later.

Workarounds and Mitigations



Palo Alto Networks would like to thank Mina Mohsen Edwar of Verizon for reporting this issue.