PAN-SA-2016-0014 Cross-site scripting issue in policy
Palo Alto Networks firewalls running the PAN-OS web interface are subject to a cross-site scripting vulnerability (Ref. 93072).
Exploitation of this problem is available only to interactive users logged in to the management interface with read and write privileges.
This issue affects PAN-OS 5.0.18 and earlier; PAN-OS 5.1.11 and earlier; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.11 and earlier; PAN-OS 7.0.7 and earlier
|PAN-OS 7.0||<= 7.0.7||>= 7.0.8|
|PAN-OS 6.1||<= 6.1.11||>= 6.1.12|
|PAN-OS 6.0||<= 6.0.13||>= 6.0.14|
|PAN-OS 5.1||<= 5.1.11||>= 5.1.12|
|PAN-OS 5.0||<= 5.0.18||>= 5.0.19|
CVSSv3.1 Base Score:4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
PAN-OS 5.0.19 and later; PAN-OS 5.1.12 and later; PAN-OS 6.0.14 and later; PAN-OS 6.1.12 and later; PAN-OS 7.0.8 and later
Workarounds and Mitigations
This issue is available only to web interface authenticated users. Palo Alto Networks recommends implementing best practices, only allowing management access to a restricted set of IP addresses, and dedicating management of the device to the management interface only.