Palo Alto Networks Product Security Incident Response TeamPAN-SA-2014-0007Cross-site scripting vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
49.8%
A cross-site scripting vulnerability exists in the web-based device management interface whereby data provided by the user is echoed back to the user without sanitization. (Ref # 64563). This vulnerability has been assigned CVE-2014-3764.
This issue affects the management interface of the device, where an authenticated administrator may be tricked into injecting malicious javascript into the web UI interface.
This issue affects PAN-OS version 6.0.5 and earlier; 5.1.9 and earlier; 5.0.14 and earlier.
Work around:
This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.
Affected configurations
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
49.8%