Palo Alto Networks Security Advisories / CVE-2016-2219

CVE-2016-2219 Cross-site scripting vulnerability


047910
Severity 5.4 · MEDIUM
Attack Vector NETWORK
Scope CHANGED
Attack Complexity LOW
Confidentiality Impact LOW
Privileges Required LOW
Integrity Impact LOW
User Interaction REQUIRED
Availability Impact NONE
CVE JSON CSAF
Published 2016-06-27
Updated 2016-06-27
Reference 90635, PAN-SA-2016-0009

Description

A cross-site scripting vulnerability exists in the web interface whereby data provided by the user is stored without sanitization. (Ref 90635) (CVE-2016-2219). This issue affects the management interface of the device, where an authenticated administrator may be tricked into injecting malicious javascript into the web interface. This issue affects PAN-OS 7.0.1 to PAN-OS 7.0.7

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0>= 7.0.1, < 7.0.8< 7.0.1, >= 7.0.8

Severity: MEDIUM

CVSSv3.1 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

PAN-OS 7.0.8 and later

Workarounds and Mitigations

This issue is available only to authenticated users on the web interface. Palo Alto Networks recommends implementing best practices, only allowing management access to a restricted set of IP address, and dedicating management of the device to the management interface only.

Acknowledgments

Palo Alto Networks thanks Roman Zaikin, CheckPoint Security Team; Juan Sacco, Exploit Pack for discovering and reporting this issue.

CPE Applicability

Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.