Title: Reflected cross-site scripting in PAN-OS Captive Portal
Discovery: Shaun Wheelhouse on behalf of The Missing Link Security
A vulnerability exists in PAN-OS Captive Portal that could allow for a cross-site scripting (XSS) attack to be performed against clients viewing the captive portal page when configured in a certain way (Ref #PAN-85238/ CVE-2017-16878)
PAN-OS 8.0.6-h3 and earlier.
Cross Site Scripting in PAN-OS Captive Portal (PAN-SA-2017-0031).
PAN-OS 8.0.7 and later
Workarounds and Mitigations
Customers not using the Captive Portal function within PAN-OS are not impacted by this vulnerability.
Palo Alto Networks would like to thank Shaun Wheelhouse for reporting this issue to us.