Palo Alto Networks - Product Advisory Alert - Cross Site Scripting Vulnerability

Palo Alto Networks - Product Advisory Alert

Posted: 14/5 2015

Palo Alto have informed Teneo this week of a Cross-Site Scripting vulnerability in the web-based device management interface.

Summary

A cross-site scripting vulnerability exists in the web-based device management interface whereby data provided by the user is echoed back to the user without sanitization. (Ref# 73638)

Severity: Medium

This issue affects the management interface of the device, where an authenticated administrator may be tricked into injecting malicious javascript into the web UI interface.

Products Affected

PAN-OS 6.1.2 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier

Available Updates

PAN-OS 6.1.3, PAN-OS 6.0.9, and PAN-OS 5.0.16 address this issue.

Workarounds and Mitigations

This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.

Acknowledgements

Avi Gimpel, Oded Vanunu, and Liad Mizrachi from Check Point Security Research Team

Keep up to date with the latest news

We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter