Palo Alto Networks Security Advisories / PAN-SA-2016-0032

PAN-SA-2016-0032 Insecure Browser API Token Generation


047910
Severity 6.8 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction REQUIRED
Availability Impact NONE
JSON CSAF
Published 2016-10-31
Updated 2016-10-31
Reference PAN-61046, PAN-100428, PAN-SA-2016-0032
Discovered externally

Description

The Palo Alto Networks firewalls API browser does not properly use the REST API tokens. In a specific scenario, an attacker could steal the authentication token and perform calls to the firewall’s API. (Ref # PAN-61046/PAN-100428)

This post-authentication issue requires the attacker to have access to a logged-in administrator’s browser.

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.4>= 7.1.5
PAN-OS 7.0<= 7.0.10>= 7.0.11
PAN-OS 6.1<= 6.1.14>= 6.1.15
PAN-OS 6.0<= 6.0.14>= 6.0.15
PAN-OS 5.1<= 5.1.12>= 5.1.13
PAN-OS 5.0<= 5.0.19>= 5.0.20

Severity: MEDIUM

CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later

Acknowledgments

Palo Alto Networks would like to thank Travis Christianson for reporting this issue to us.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.