Cross-site scripting vulnerability (PAN-SA-2016-0009)

Last revised: 08/24/2016

Summary

A cross-site scripting vulnerability exists in the web interface whereby data provided by the user is stored without sanitization. (Ref 90635) (CVE-2016-2219).

Severity: Low

This issue affects the management interface of the device, where an authenticated administrator may be tricked into injecting malicious javascript into the web interface.

Products Affected

PAN-OS 7.0.1 to PAN-OS 7.0.7

Available Updates

PAN-OS 7.0.8 and later

Workarounds and Mitigations

This issue is available only to authenticated users on the web interface. Palo Alto Networks recommends implementing best practices, only allowing management access to a restricted set of IP address, and dedicating management of the device to the management interface only.

Acknowledgements

Roman Zaikin, CheckPoint Security Team; Juan Sacco, Exploit Pack