CVE-2024-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface
Description
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface on Panorama appliances. This enables the impersonation of another authenticated administrator.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All on Panorama |
| PAN-OS 11.0 | None | All on Panorama |
| PAN-OS 10.2 | None | All on Panorama |
| PAN-OS 10.1 | < 10.1.6 on Panorama | >= 10.1.6 on Panorama |
| PAN-OS 10.0 | < 10.0.11 on Panorama | >= 10.0.11 on Panorama |
| PAN-OS 9.1 | < 9.1.16 on Panorama | >= 9.1.16 on Panorama |
| PAN-OS 9.0 | < 9.0.17 on Panorama | >= 9.0.17 on Panorama |
| PAN-OS 8.1 | < 8.1.24-h1 on Panorama, < 8.1.25 on Panorama | >= 8.1.24-h1 on Panorama, >= 8.1.25 on Panorama |
| Prisma Access | None | All |
Severity: MEDIUM
CVSSv4.0 Base Score: 6.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
This issue is fixed on Panorama in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.11, PAN-OS 10.1.6, and all later PAN-OS versions.
Workarounds and Mitigations
This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94996 (Applications and Threats content update 8810).