CVE-2019-1565 Cross-Site Scripting (XSS) in PAN-OS External Dynamic Lists
Attack Vector
NETWORK
Scope
CHANGED
Attack Complexity
LOW
Confidentiality Impact
LOW
Privileges Required
LOW
Integrity Impact
LOW
User Interaction
REQUIRED
Availability Impact
NONE
Description
A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS External Dynamic Lists. (Ref. # PAN-106776; CVE-2019-1565)
Successful exploitation of this issue may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML.
This issue affects PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier.
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 8.1 | <= 8.1.5 | >= 8.1.6 |
PAN-OS 8.0 | <= 8.0.14 | >= 8.0.15 |
PAN-OS 7.1 | <= 7.1.21 | >= 7.1.22 |
Severity: MEDIUM
CVSSv3.1 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Weakness Type
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
PAN-OS 7.1.22 and later, PAN-OS 8.0.15 and later, and PAN-OS 8.1.6 and later.
Workarounds and Mitigations
N/A
Acknowledgments
Palo Alto Networks would like to thank Mina Mohsen Edwar of Verizon for reporting this issue.