CVE-2020-2005 PAN-OS: GlobalProtect Clientless VPN session hijacking
A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.7;
All versions of PAN-OS 8.0.
|PAN-OS 9.0||< 9.0.7||>= 9.0.7|
|PAN-OS 8.1||< 8.1.13||>= 8.1.13|
|PAN-OS 7.1||< 7.1.26||>= 7.1.26|
Required Configuration for Exposure
This issue only affects firewalls configured with GlobalProtect Clientless VPN.
CVSSv3.1 Base Score:7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Workarounds and Mitigations
Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites.