A reflected cross-site scripting (XSS) vulnerability exists in Palo Alto Networks MineMeld. (Ref CVE-2019-1578)
A remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.
This issue affects Open Source Community Supported MineMeld version 0.9.60 and earlier.
AutoFocus-Hosted MineMeld is NOT affected.
Versions | Affected | Unaffected |
---|---|---|
MineMeld 0.9 | <= 0.9.60 | >= 0.9.62. |
CVSSv3.1 Base Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Open Source Community Supported MineMeld version 0.9.62.
Users of affected versions who can’t upgrade to 0.9.62 or later should set the environment variable DISABLE_NEW_EXTENSIONS=1 in MineMeld service startup to prevent the execution of the vulnerable code.