SB2016071917 - Cross-site scripting in Palo Alto PAN-OS
Published: July 19, 2016 Updated: November 22, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to conduct cross-site scripting attacks.
The vulnerability exists due to improper filtering HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code execution by the target user's browser. The code will originate from the Palo Alto PAN-OS interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Successful exploitation of this vulnerability may result in disclosure of authentication information.
Remediation
Install update from vendor's website.