CVE-2023-0007Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Palo Alto Networks Pan-os

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site ScriptingCWE-252Unchecked Return ValueCWE-77Command Injection8 documents8 sources
Severity
4.8MEDIUMNVD
CNA6.5CISA6.8
EPSS
0.6%
top 29.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Cloud Ngfw+2 more
Timeline
PublishedMay 10
Latest updateOct 22

Description

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages5 packages

NVDpaloaltonetworks/pan-os8.1.08.1.25+3
CVEListV5palo_alto_networks/pan-os10.010.0.7+3
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
OSV
s390/crypto: use vector instructions only if available for ChaCha202025-10-22
GHSA
GHSA-mfm9-435m-m4c2: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administra2023-07-06
CVEList
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface2023-05-10

📋Vendor Advisories

4
Red Hat
kernel: s390/crypto: use vector instructions only if available for ChaCha202025-10-22
Palo Alto
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface2023-05-10
VMware
VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865)2023-04-20
CISA
Mitel MiVoice Connect Command Injection Vulnerability2023-02-21
CVE-2023-0007 — Palo Alto Networks Pan-os vulnerability | cvebase