PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
VERSION MINOR VERSION SUGGESTED SOLUTION
Cloud NGFW No action needed.
PAN-OS 12.1 12.1.2 through 12.1.4 Upgrade to 12.1.5 or later.
PAN-OS 11.2 11.2.0 through 11.2.10 Upgrade to 11.2.11 or later.
PAN-OS 11.1 11.1.0 through 11.1.13 Upgrade to 11.1.14 or later.
PAN-OS 10.2 10.2.0 through 10.2.18 Upgrade to 11.1.14, 11.2.11, 12.1.5 or later.
All older Upgrade to a supported fixed version.
unsupported
PAN-OS versions
Prisma Access No action needed.
Configurations
No special configuration is required to be affected by this issue.
Workarounds
No known workarounds or mitigations exist for this issue.
Exploits
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Credits
other
Palo Alto Networks thanks Rajnish Gupta (internal reporter), James Otten (internal reporter), and Jasper Westerman of REQON B.V. for discovering and reporting this issue.