Palo Alto Networks Security Advisories / CVE-2013-5664

CVE-2013-5664 Cross-site Scripting Vulnerability

047910
Severity 4.7 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope CHANGED
Confidentiality Impact NONE
Integrity Impact LOW
Availability Impact NONE

Description

A cross-site scripting vulnerability exists in the web-based device management API browser whereby data provided by the user is echoed back to the user without sanitization. (Ref #50908)

This issue affects the management interface of the device where the API browser is exposed.

This issue affects PAN-OS version 4.1.12 and earlier; 5.0.5 and earlier.

Product Status

VersionsAffectedUnaffected
PAN-OS 5.0<= 5.0.5>= 5.0.6
PAN-OS 4.1<= 4.1.12>= 4.1.13

Severity: MEDIUM

CVSSv3.1 Base Score: 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

PAN-OS 4.1.13 and PAN-OS 5.0.6 address this issue.

Workarounds and Mitigations

This issue only affects the web-based device management API browser.

Acknowledgments

Jungo Katsuyama, NTT Communications
© 2020 Palo Alto Networks, Inc. All rights reserved.