CVE-2013-5664 Cross-site Scripting Vulnerability
Attack Vector
NETWORK
Scope
CHANGED
Attack Complexity
LOW
Confidentiality Impact
NONE
Privileges Required
NONE
Integrity Impact
LOW
User Interaction
REQUIRED
Availability Impact
NONE
Description
A cross-site scripting vulnerability exists in the web-based device management API browser whereby data provided by the user is echoed back to the user without sanitization. (Ref #50908)
This issue affects the management interface of the device where the API browser is exposed.
This issue affects PAN-OS version 4.1.12 and earlier; 5.0.5 and earlier.
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 5.0 | <= 5.0.5 | >= 5.0.6 |
PAN-OS 4.1 | <= 4.1.12 | >= 4.1.13 |
Severity: MEDIUM
CVSSv3.1 Base Score: 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
Weakness Type
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
PAN-OS 4.1.13 and PAN-OS 5.0.6 address this issue.
Workarounds and Mitigations
This issue only affects the web-based device management API browser.
Acknowledgments
Palo Alto Networks thanks Jungo Katsuyama, NTT Communications for discovering and reporting the issue.