Get supportSecurity advisories
SubscriptionsReport vulnerabilities
Palo Alto Networks Security Advisories / CVE-2019-1578

CVE-2019-1578 Cross Site Scripting (XSS) in MineMeld


Severity 6.1 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope CHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE
NVD JSON
Published: 2019-06-27
Updated: 2019-06-27
Ref#: PAN-SA-2019-0015

Description

A reflected cross-site scripting (XSS) vulnerability exists in Palo Alto Networks MineMeld. (Ref CVE-2019-1578)

A remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

This issue affects Open Source Community Supported MineMeld version 0.9.60 and earlier.

AutoFocus-Hosted MineMeld is NOT affected.

Product Status

MineMeld

VersionsAffectedUnaffected
0.9<= 0.9.60>= 0.9.62.

Severity: MEDIUM

CVSSv3.1 Base Score: 6.1 ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N )

Solution

Open Source Community Supported MineMeld version 0.9.62.

Workarounds and Mitigations

Users of affected versions who can’t upgrade to 0.9.62 or later should set the environment variable DISABLE_NEW_EXTENSIONS=1 in MineMeld service startup to prevent the execution of the vulnerable code.

Acknowledgements

  • Palo Alto Networks would like to thank Netskope and Veracode for reporting this issue.
Terms of UsePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report VulnerabilitiesManage Subscriptions
© 2020 Palo Alto Networks, Inc. All rights reserved.