CVE-2019-1574 Cross-Site Scripting in Expedition Migration Tool

Palo Alto Networks Security Advisories / CVE-2019-1574

CVE-2019-1574 Cross-Site Scripting in Expedition Migration Tool

Severity 5.4 · MEDIUM

Attack Vector NETWORK

Scope CHANGED

Attack Complexity LOW

Confidentiality Impact LOW

Privileges Required LOW

Integrity Impact LOW

User Interaction REQUIRED

Availability Impact NONE

NVD JSON

Published 2019-04-11

Updated

Reference MT-1009 PAN-SA-2019-0009

Discovered externally

Description

A cross-site scripting (XSS) vulnerability exist in the Palo Alto Networks Migration Tool (“Expedition”). (Ref # MT-1009/ CVE-2019-1574)

Successful exploitation of this issue may allow an authenticated attacker to inject arbitrary JavaScript or HTML in the Devices View.

This issue affects Expedition 1.1.12 and earlier.

Note that this issue only impacts the Palo Alto Networks Migration Tool (“Expedition”), a tool available from the Palo Alto Networks Live site. This issue does not affect PAN-OS or any other supported product or service. For more information on Expedition, see: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool.

Product Status

Versions	Affected	Unaffected
Expedition 1.1	<= 1.1.12	>= 1.1.13

Severity: MEDIUM

CVSSv3.1 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

Expedition 1.1.13 and later

Workarounds and Mitigations

n/a

Acknowledgments

Palo Alto Networks would like to thank Sayali Kulkarni of Tenable Research for reporting this issue.