Description
A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software can allow a JavaScript payload to be executed in the context of an authenticated Captive Portal user’s browser when they click on a specifically crafted link.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- Palo Alto Networks / Cloud NGFWAll – All
- Palo Alto Networks / pan-os10.2 – 10.2.2
- Palo Alto Networks / pan-os10.1 – 10.1.6
- Palo Alto Networks / pan-os10.0 – 10.0.11
- Palo Alto Networks / pan-os9.1 – 9.1.16
- Palo Alto Networks / pan-os9.0 – 9.0.17
- Palo Alto Networks / pan-os8.1 – 8.1.24
- Palo Alto Networks / pan-os11.0 – 11.0
- Palo Alto Networks / Prisma AccessAll – All