PAN-SA-2016-0033 Cross-Site Scripting in Captive Portal
Palo Alto Networks firewalls can be configured to identify users through a captive portal. This process is vulnerable to a cross-site scripting attack. (Ref # PAN-56221/93759).
The captive portal is reserved to identify internal users, thus should not be exposed to the Internet.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier
|PAN-OS 7.1||<= 7.1.4||>= 7.1.5|
|PAN-OS 7.0||<= 7.0.10||>= 7.0.11|
|PAN-OS 6.1||<= 6.1.14||>= 6.1.15|
|PAN-OS 6.0||<= 6.0.14||>= 6.0.15|
|PAN-OS 5.1||<= 5.1.12||>= 5.1.13|
|PAN-OS 5.0||<= 5.0.19||>= 5.0.20|
CVSSv3.1 Base Score:5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CWE-79 Cross-site Scripting (XSS)
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later
Workarounds and Mitigations
The captive portal is typically deployed to internal user population as a way to identify local users and should therefore not be exposed to the wider Internet.