Palo Alto Networks PAN-OS Software Vulnerable to Reflected Cross-Site Scripting Attacks

CVE-2024-0011

4.3MEDIUM

Key Information

Vendor: Palo Alto Networks
Status: Pan-os; Prisma Access; Cloud Ngfw
Vendor: CVE Published:; 14 February 2024

Badges

👾 Exploit Exists

Summary

A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of an authenticated Captive Portal user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.

Affected Version(s)

PAN-OS < 8.1.24

PAN-OS < 9.0.17

PAN-OS < 9.1.13

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

👾
Exploit exists.
Jul 5, 2024
Initial publication
Feb 14, 2024
Vulnerability published.
Feb 14, 2024
Vulnerability Reserved.
Nov 9, 2023

Collectors

NVD DatabaseMitre Database

Credit

Palo Alto Networks thanks Darek Jensen and an external reporter for discovering and reporting this issue.