CVE-2023-0007
published 2023-05-10CVE-2023-0007: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to…
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.43%
34.3th percentile
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 5.19.0 < 6.1.30 | 6.1.30 |
| linux | linux_kernel | >= 6.2.0 < 6.3.4 | 6.3.4 |
| palo_alto_networks | pan-os | >= 10.0 < 10.0.7 | 10.0.7 |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.25 | 8.1.25 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.17 | 9.0.17 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.16 | 9.1.16 |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | >= 10.0.0 < 10.0.7 | 10.0.7 |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.25 | 8.1.25 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.17 | 9.0.17 |
| paloaltonetworks | pan-os | >= 9.1.0 < 9.1.16 | 9.1.16 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cisa6.8MEDIUM
vendor_redhat5.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
s390/crypto: use vector instructions only if available for ChaCha20
osv·2025-10-22
CVE-2023-53702 s390/crypto: use vector instructions only if available for ChaCha20
s390/crypto: use vector instructions only if available for ChaCha20
In the Linux kernel, the following vulnerability has been resolved:
s390/crypto: use vector instructions only if available for ChaCha20
Commit 349d03ffd5f6 ("crypto: s390 - add crypto library interface for
ChaCha20") added a library interface to the s390 specific ChaCha20
implementation. However no check was added to verify if the required
facilities are installed before branching into the assembler code.
If compiled into the kernel, this will lead to the following crash,
if vector instructions are not available:
data exception: 0007 ilc:3 [#1] SMP
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7+ #11
Hardware name: IBM 3931 A01 704 (KVM/Linux)
Krnl PSW : 0704e00180000000 000000001857277a (chacha
GHSA
GHSA-mfm9-435m-m4c2: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administra
ghsa_unreviewed·2023-07-06
CVE-2023-0007 [MEDIUM] CWE-79 GHSA-mfm9-435m-m4c2: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administra
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.
Red Hat
kernel: s390/crypto: use vector instructions only if available for ChaCha20
vendor_redhat·2025-10-22·CVSS 5.5
CVE-2023-53702 [LOW] CWE-252 kernel: s390/crypto: use vector instructions only if available for ChaCha20
kernel: s390/crypto: use vector instructions only if available for ChaCha20
In the Linux kernel, the following vulnerability has been resolved:
s390/crypto: use vector instructions only if available for ChaCha20
Commit 349d03ffd5f6 ("crypto: s390 - add crypto library interface for
ChaCha20") added a library interface to the s390 specific ChaCha20
implementation. However no check was added to verify if the required
facilities are installed before branching into the assembler code.
If compiled into the kernel, this will lead to the following crash,
if vector instructions are not available:
data exception: 0007 ilc:3 [#1] SMP
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7+ #11
Hardware name: IBM 3931 A01 704 (KVM/Linux)
Krnl PSW : 0704e00180000000 000000001857277a (ch
Palo Alto
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface
vendor_paloalto·2023-05-10·CVSS 4.8
CVE-2023-0007 [MEDIUM] CWE-80 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.
Affected products: Cloud NGFW, PAN-OS, Prisma Access
Solution: This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.7, and all later PAN-OS versions.
Workaround: This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices fo
VMware
VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865)
vendor_vmware·2023-04-20·CVSS 9.8
CVE-2023-20864 [CRITICAL] VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865)
VMSA-2023-0007: VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865)
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2023-20864, CVE-2023-20865
Affected products: VMware Aria, VMware Cloud Foundation
CISA
Mitel MiVoice Connect Command Injection Vulnerability
cisa·2023-02-21·CVSS 6.8
CVE-2022-40765 [MEDIUM] CWE-77 Mitel MiVoice Connect Command Injection Vulnerability
Vulnerability: Mitel MiVoice Connect Command Injection Vulnerability
Affected: Mitel MiVoice Connect
The Mitel Edge Gateway component of MiVoice Connect allows an authenticated attacker with internal network access to execute commands within the context of the system.
Required Action: Apply updates per vendor instructions.
Notes: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0007; https://nvd.nist.gov/vuln/detail/CVE-2022-40765
Remediation Due Date: 2023-03-14
No detection rules found.
No public exploits indexed.
2023-05-10
Published