Cross-Site Scripting in Captive Portal (PAN-SA-2016-0033)

Last revised: 10/31/2016


Palo Alto Networks firewalls can be configured to identify users through a captive portal. This process is vulnerable to a cross-site scripting attack. (Ref # PAN-56221/93759).

Severity: Low

The captive portal is reserved to identify internal users, thus should not be exposed to the Internet.

Products Affected

PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier

Available Updates

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later

Workarounds and Mitigations

The captive portal is typically deployed to internal user population as a way to identify local users and should therefore not be exposed to the wider Internet.


Palo Alto Networks would like to thank David Vassallo for reporting this issue to us.