CVE-2024-0010 — Cross-site Scripting in Palo Alto Networks Pan-os
CWE-79 — Cross-site ScriptingCWE-476 — NULL Pointer DereferenceCWE-667 — Improper LockingCWE-416 — Use After FreeCWE-413 — Improper Resource LockingCWE-754 — Improper Check for Unusual or Exceptional ConditionsCWE-130 — Improper Handling of Length Parameter InconsistencyCWE-362 — Race ConditionCWE-20 — Improper Input ValidationCWE-248 — Uncaught ExceptionCWE-119 — Improper Restriction of Operations within the Bounds of a Memory BufferCWE-415 — Double FreeCWE-822 — Untrusted Pointer DereferenceCWE-99 — Resource InjectionCWE-664 — Improper Control of a Resource Through its LifetimeCWE-665 — Improper Initialization45 documents5 sources
Severity
6.1MEDIUMNVD
CNA4.3
EPSS
3.5%
top 12.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedFeb 14
Latest updateJun 18
Description
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of a user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7