Palo Alto Networks Security Advisories / CVE-2019-1578

CVE-2019-1578 Cross Site Scripting (XSS) in MineMeld

Severity 6.1 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Confidentiality Impact LOW
Privileges Required NONE
Integrity Impact LOW
User Interaction REQUIRED
Availability Impact NONE


A reflected cross-site scripting (XSS) vulnerability exists in Palo Alto Networks MineMeld. (Ref CVE-2019-1578)

A remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

This issue affects Open Source Community Supported MineMeld version 0.9.60 and earlier.

AutoFocus-Hosted MineMeld is NOT affected.

Product Status

MineMeld 0.9<= 0.9.60>= 0.9.62.


CVSSv3.1 Base Score:6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


Open Source Community Supported MineMeld version 0.9.62.

Workarounds and Mitigations

Users of affected versions who can’t upgrade to 0.9.62 or later should set the environment variable DISABLE_NEW_EXTENSIONS=1 in MineMeld service startup to prevent the execution of the vulnerable code.


Palo Alto Networks would like to thank Netskope and Veracode for reporting this issue.
© 2023 Palo Alto Networks, Inc. All rights reserved.