Cross Site Scripting (XSS) in MineMeld (PAN-SA-2019-0015)

Last revised: 06/27/2019

Summary

A reflected cross-site scripting (XSS) vulnerability exists in Palo Alto Networks MineMeld. (Ref CVE-2019-1578)

Severity: Low

A remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

Products Affected

Open Source Community Supported MineMeld version 0.9.60 and earlier. AutoFocus-Hosted MineMeld is NOT affected.

Available Updates

Open Source Community Supported MineMeld version 0.9.62.

Workarounds and Mitigations

Users of affected versions who can’t upgrade to 0.9.62 or later should set the environment variable DISABLE_NEW_EXTENSIONS=1 in MineMeld service startup to prevent the execution of the vulnerable code.

Acknowledgements

Palo Alto Networks would like to thank Netskope and Veracode for reporting this issue.