Get supportSecurity advisories
Subscriptions
Report vulnerabilities
Palo Alto Networks Security Advisories / CVE-2017-12416

CVE-2017-12416 Cross-Site Scripting in PAN-OS


Severity 6.1 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope CHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE
NVD JSON
Published: 2017-08-30
Updated: 2017-08-30
Ref#: PAN-76003 PAN-SA-2017-0023

Description

A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface. This issue could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. (Ref # PAN-76003 / CVE-2017-12416)

Successful exploitation of this issue may allow an attacker to inject arbitrary Java script or HTML.

This issue affects PAN-OS 6.1.17 and earlier, PAN-OS 7.0.16 and earlier, PAN-OS 7.1.11 and earlier, PAN-OS 8.0.2 and earlier

Product Status

PAN-OS

VersionsAffectedUnaffected
6.1<= 6.1.17>= 6.1.18
7.0<= 7.0.16>= 7.0.17
7.1<= 7.1.11>= 7.1.12
8.0<= 8.0.2>= 8.0.3

Severity: MEDIUM

CVSSv3.1 Base Score: 6.1 ( CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N )

Solution

PAN-OS 6.1.18 and later, PAN-OS 7.0.17 and later, PAN-OS 7.1.12 and later, PAN-OS 8.0.3 and later

Workarounds and Mitigations

Customers that have not configured GlobalProtect are not affected by this issue.

Acknowledgements

  • Palo Alto Networks would like to thank Sonal Shrivastava of PayPal for reporting this issue to us.
© 2020 Palo Alto Networks, Inc. All rights reserved.