Palo Alto Networks Security Advisories / PAN-SA-2016-0031

PAN-SA-2016-0031 Cross-Site Scripting in Web Interface


047910
Severity 5.8 · MEDIUM
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact HIGH
User Interaction REQUIRED
Availability Impact NONE
JSON
Published 2016-10-18
Updated 2020-08-25
Reference PAN-57659 and PAN-95895 PAN-SA-2016-0031
Discovered externally

Description

The Palo Alto Networks web management interface is vulnerable to a post-authentication persistent cross-site scripting condition in the monitor tab. (Ref # PAN-57659/95895).

This issue affects the management interface of the device, where an authenticated administrator could inject malicious JavaScript into the web interface.

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.13 and earlier; PAN-OS 7.0.9 and earlier; PAN-OS 7.1.4 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.4>= 7.1.5
PAN-OS 7.0<= 7.0.9>= 7.0.10
PAN-OS 6.1<= 6.1.13>= 6.1.14
PAN-OS 6.0<= 6.0.14>= 6.0.15
PAN-OS 5.1<= 5.1.12>= 5.1.13
PAN-OS 5.0<= 5.0.19>= 5.0.20

Severity: MEDIUM

CVSSv3.1 Base Score: 5.8 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N)

Weakness Type

CWE-79 Cross-site Scripting (XSS)

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.14 and later; PAN-OS 7.0.10 and later; PAN-OS 7.1.5 and later

Workarounds and Mitigations

N/A

Acknowledgments

Juan Sacco, Exploit Pack.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.