Palo Alto Networks Security Advisories
CVE-2017-7409 CVE-2017-7409 Cross-Site Scripting in PAN-OS
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE NVD JSON Published 2017-04-20 Updated 2017-04-20
Reference PAN-70674 PAN-SA-2017-0011 Description
A vulnerability exists in the PAN-OS GlobalProtect external interface that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. (Ref # PAN-70674 / CVE-2017-7409)
This issue affects PAN-OS 7.0.14 and earlier
Versions Affected Unaffected PAN-OS 7.0 <= 7.0.14 >= 7.0.15 Severity: MEDIUM
CVSSv3.1 Base Score: 6.1 (
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Weakness Type CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Solution
PAN-OS 7.0.15 and later
Workarounds and Mitigations
Customers that have not configured GlobalProtect are not affected by this issue.
Palo Alto Networks would like to thank Jarrod Phelps from Uber for reporting this issue to us.
© 2020 Palo Alto Networks, Inc. All rights reserved.