Palo Alto Networks PAN-OS Portal Feature Vulnerable to Reflected Cross-Site Scripting Attacks

CVE-2024-0010

4.3MEDIUM

Key Information

Vendor: Palo Alto Networks
Status: Pan-os; Prisma Access; Cloud Ngfw
Vendor: CVE Published:; 14 February 2024

Badges

👾 Exploit Exists

Summary

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of a user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.

Affected Version(s)

PAN-OS < 9.0.17-h4

PAN-OS < 9.1.17

PAN-OS < 10.1.11-h1

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

👾
Exploit exists.
Aug 1, 2024
Initial publication
Feb 14, 2024
Vulnerability published.
Feb 14, 2024
Vulnerability Reserved.
Nov 9, 2023

Collectors

NVD DatabaseMitre Database

Credit

Palo Alto Networks thanks Michał Majchrowicz and Livio Victoriano from Afine Team for discovering and reporting this issue.