Description
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Palo Alto Networks / pan-os9.0 – 9.0.9
- Palo Alto Networks / pan-os9.1.0 – 9.1*
- Palo Alto Networks / pan-os8.1 – 8.1.16
- Palo Alto Networks / pan-os10.0.0 – 10.0*
Exploits & PoCs
- nucleiPalo Alto Networks PAN-OS Web Interface - Cross Site-Scriptingby madrobot,j4vaovo