A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.7;
All versions of PAN-OS 8.0.
| Versions | Affected | Unaffected |
|---|---|---|
| 9.0 | < 9.0.7 | >= 9.0.7 |
| 8.1 | < 8.1.13 | >= 8.1.13 |
| 8.0 | 8.0.* | |
| 7.1 | < 7.1.26 | >= 7.1.26 |
This issue only affects firewalls configured with GlobalProtect Clientless VPN.
CVSSv3.1 Base Score: 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites.