CVE-2013-5664 Cross-site Scripting Vulnerability
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact LOW
User Interaction REQUIRED
Availability Impact NONE
A cross-site scripting vulnerability exists in the web-based device management API browser whereby data provided by the user is echoed back to the user without sanitization. (Ref #50908)
This issue affects the management interface of the device where the API browser is exposed.
This issue affects PAN-OS version 4.1.12 and earlier; 5.0.5 and earlier.
|PAN-OS 5.0||<= 5.0.5||>= 5.0.6|
|PAN-OS 4.1||<= 4.1.12||>= 4.1.13|
CVSSv3.1 Base Score:4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PAN-OS 4.1.13 and PAN-OS 5.0.6 address this issue.
Workarounds and Mitigations
This issue only affects the web-based device management API browser.
Jungo Katsuyama, NTT Communications