Last revised: 10/31/2016
Palo Alto Networks firewalls can be configured to identify users through a captive portal. This process is vulnerable to a cross-site scripting attack. (Ref # PAN-56221/93759).
The captive portal is reserved to identify internal users, thus should not be exposed to the Internet.
PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later
The captive portal is typically deployed to internal user population as a way to identify local users and should therefore not be exposed to the wider Internet.
Palo Alto Networks would like to thank David Vassallo for reporting this issue to us.