Vulners
Lucene search
Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2010-0475 | 19 May 201000:00 | – | circl |
 | CVE-2010-0475 | 14 May 201019:24 | – | cve |
 | CVE-2010-0475 | 14 May 201019:24 | – | cvelist |
 | Palo Alto Network Vulnerability - Cross-Site Scripting | 19 May 201000:00 | – | exploitdb |
 | EUVD-2010-0506 | 7 Oct 202500:30 | – | euvd |
 | Palo Alto Network Vulnerability - Cross-Site Scripting | 19 May 201000:00 | – | exploitpack |
 | CVE-2010-0475 | 14 May 201019:30 | – | nvd |
 | Palo Alto Network Cross Site Scripting | 14 May 201000:00 | – | packetstorm |
 | Cross site scripting | 14 May 201019:30 | – | prion |
 | Palo Alto Network Vulnerability - Cross-Site Scripting (XSS) | 13 May 201000:00 | – | securityvulns |
10
Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)
------------------------------
Class: Cross-Site Scripting (XSS) Vulnerability
*CVE: CVE-2010-0475 *
*Remote: Yes
Local: Yes
Published: May 11, 2010 08:30AM *
Timeline:Submission to MITRE: 1/18/2010
Vendor Contact: 2/18/2010
Vendor Response: 2/18/2010
Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9)
*Credit: Jeromie Jackson CISSP, CISM*
COBIT & ITIL Certified
President- San Diego Open Web Application Security Project (OWASP)
Vice President- San Diego Information Audit & Control Association
(ISACA)
SANS Mentor
LinkedIn: www.linkedin.com/in/securityassessment
Blog: www.JeromieJackson.com
Twitter: www.twitter.com/Security_Sifu
Validated Vulnerable:
Latest Version Per December 31, 2009
Discussion:
A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo
Alto interface. By crafting a URL that includes XSS code it is possible to
inject malicious data, redirect the user to a bogus replica of the real
website, or other nefarious activity.
Exploit:
Single Line working-
https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin
&admin-role=%5Bobject+Object%5D&bSubmit=O
WORKING FOR REDIRECT TO LOAD cookies into URL.
https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin&admin-role=%5Bobject+Object%5D&bSubmit=O
Solution:
A patch will be required from the vendor. It is recommended a routine to
sanitize user input be consistently implemented throughout the application
to mitigate other such occurrences within the application.
References:
OWASP Cross-Site Scripting (XSS) Attack Discussion
Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.00198