Palo Alto Networks Security Advisories / CVE-2019-1565

CVE-2019-1565 Cross-Site Scripting (XSS) in PAN-OS External Dynamic Lists


Severity 5.4 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction REQUIRED
Scope CHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS External Dynamic Lists. (Ref. # PAN-106776; CVE-2019-1565)

Successful exploitation of this issue may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML.

This issue affects PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier.

Product Status

PAN-OS

VersionsAffectedUnaffected
7.1<= 7.1.21>= 7.1.22
8.0<= 8.0.14>= 8.0.15
8.1<= 8.1.5>= 8.1.6

Severity: MEDIUM

CVSSv3.1 Base Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Solution

PAN-OS 7.1.22 and later, PAN-OS 8.0.15 and later, and PAN-OS 8.1.6 and later.

Workarounds and Mitigations

N/A

Acknowledgements

Palo Alto Networks would like to thank Mina Mohsen Edwar of Verizon for reporting this issue.
© 2020 Palo Alto Networks, Inc. All rights reserved.