CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
Description
A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to perform actions in the context of another user's browser when accessed by that other user.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Prisma Cloud Compute 32 | < 32.05 (O’Neal - Update 5) | >= 32.05 (O’Neal - Update 5) |
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-B: 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
This issue is fixed in Prisma Cloud Compute 32.05 (O'Neal - Update 5) and all later versions.