CVE-2023-6790: CVE-2023-6790 PAN-OS: DOM-Based Cross-Site Scripting (XSS) Vulnerability in the Web Interface

Palo Alto Networks Security Advisories / CVE-2023-6790

Urgency MODERATE

Response Effort LOW

Recovery AUTOMATIC

Value Density DIFFUSE

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements PRESENT

Automatable YES

User Interaction ACTIVE

Product Confidentiality HIGH

Product Integrity HIGH

Product Availability HIGH

Privileges Required NONE

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

NVD JSON

Published 2023-12-13

Updated 2023-12-13

Reference PAN-193367

Discovered externally

Description

A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.

Product Status

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.1

>= 11.0.1

PAN-OS 10.2

< 10.2.4

>= 10.2.4

PAN-OS 10.1

< 10.1.9

>= 10.1.9

PAN-OS 10.0

< 10.0.12

>= 10.0.12

PAN-OS 9.1

< 9.1.16

>= 9.1.16

PAN-OS 9.0

< 9.0.17

>= 9.0.17

PAN-OS 8.1

< 8.1.25

>= 8.1.25

Prisma Access

None

All

Severity: HIGH

CVSSv4.0 Base Score: 7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Solution

This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

Acknowledgments

Palo Alto Networks thanks Kajetan Rostojek for discovering and reporting this issue.

Timeline

2023-12-13 Initial publication