Reflected cross-site scripting in PAN-OS Captive Portal | The Missing Link

Discovered by Shaun Wheelhouse on behalf of The Missing Link Security

Vulnerability Details

A vulnerability exists in PAN-OS Captive Portal that could allow for a cross-site scripting (XSS) attack to be performed against clients viewing the captive portal page when configured in a certain way (Ref #PAN-85238/ CVE-2017-16878)

Severity: Medium

Successful exploitation of this issue may allow an attacker to inject arbitrary javascript or HTML.

Affected Versions

PAN-OS 8.0.6-h3 and earlier. 
Cross Site Scripting in PAN-OS Captive Portal (PAN-SA-2017-0031).

Note: Customers not using the Captive Portal function within PAN-OS are not impacted by this vulnerability.

Fixed Versions

PAN-OS 8.0.7 and later

Latest News