Palo Alto Networks Security Advisories / CVE-2019-1578

CVE-2019-1578 Cross Site Scripting (XSS) in MineMeld

047910
Severity 6.1 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope CHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

A reflected cross-site scripting (XSS) vulnerability exists in Palo Alto Networks MineMeld. (Ref CVE-2019-1578)

A remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

This issue affects Open Source Community Supported MineMeld version 0.9.60 and earlier.

AutoFocus-Hosted MineMeld is NOT affected.

Product Status

VersionsAffectedUnaffected
MineMeld 0.9<= 0.9.60>= 0.9.62.

Severity: MEDIUM

CVSSv3.1 Base Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

Open Source Community Supported MineMeld version 0.9.62.

Workarounds and Mitigations

Users of affected versions who can’t upgrade to 0.9.62 or later should set the environment variable DISABLE_NEW_EXTENSIONS=1 in MineMeld service startup to prevent the execution of the vulnerable code.

Acknowledgments

Palo Alto Networks would like to thank Netskope and Veracode for reporting this issue.
© 2020 Palo Alto Networks, Inc. All rights reserved.