Description
A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of an authenticated Captive Portal user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- Palo Alto Networks / Cloud NGFWAll – All
- Palo Alto Networks / pan-os9.0 – 9.0.17
- Palo Alto Networks / pan-os9.1 – 9.1.13
- Palo Alto Networks / pan-os10.0 – 10.0.11
- Palo Alto Networks / pan-os10.1 – 10.1.3
- Palo Alto Networks / pan-os8.1 – 8.1.24
- Palo Alto Networks / pan-os11.0 – 11.0
- Palo Alto Networks / pan-os11.1 – 11.1
- Palo Alto Networks / pan-os10.2 – 10.2
- Palo Alto Networks / Prisma AccessAll – All