Lucene search

Palo Alto Networks Product Security Incident Response TeamPA-CVE-2024-0011

HistoryFeb 14, 2024 - 5:00 p.m.

PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication

2024-02-1417:00:00

Palo Alto Networks Product Security Incident Response Team

securityadvisories.paloaltonetworks.com

pan-os

reflected xss

captive portal

authentication

threat prevention

threat id 93070

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.

Work around:
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 93070 (Applications and Threats content update 8810).

CPENameOperatorVersion
pan-oslt8.1.24
pan-oslt9.0.17
pan-oslt9.1.13
pan-oslt10.0.11
pan-oslt10.1.3

Name	Operator	Version
pan-os	lt	8.1.24
pan-os	lt	9.0.17
pan-os	lt	9.1.13
pan-os	lt	10.0.11
pan-os	lt	10.1.3

References

security.paloaltonetworks.com/CVE-2024-0011

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for PA-CVE-2024-0011