CVE-2023-6790 PAN-OS: DOM-Based Cross-Site Scripting (XSS) Vulnerability in the Web Interface
Description
A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.1 | >= 11.0.1 |
| PAN-OS 10.2 | < 10.2.4 | >= 10.2.4 |
| PAN-OS 10.1 | < 10.1.9 | >= 10.1.9 |
| PAN-OS 10.0 | < 10.0.12 | >= 10.0.12 |
| PAN-OS 9.1 | < 9.1.16 | >= 9.1.16 |
| PAN-OS 9.0 | < 9.0.17 | >= 9.0.17 |
| PAN-OS 8.1 | < 8.1.25 | >= 8.1.25 |
| Prisma Access | None | All |
Severity: HIGH
CVSSv4.0 Base Score: 7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.
Please note that customers impacted by the PAN-OS root and default certificate expiration issue must carefully select the fixed version of PAN-OS they upgrade their devices to when addressing this vulnerability to not reintroduce the certificate issue. More information and support for the certificate expiration issue in PAN-OS is available at https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672.