Palo Alto Networks PAN-OS GlobalProtect Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software. This vulnerability allows the execution of malicious JavaScript in the browser of an authenticated Captive Portal user who clicks on a specially crafted link. The main risk associated with this vulnerability is phishing attacks that could lead to credential theft, especially for users with Clientless VPN enabled. There is no impact on the availability of GlobalProtect features or users. While the vulnerability does not allow attackers to modify GlobalProtect portal or gateway contents, it does enable the creation of phishing links that appear to originate from the GlobalProtect portal. For users with Clientless VPN enabled, there is a limited confidentiality risk due to the potential for credential theft. However, users who do not enable Clientless VPN will not experience any confidentiality impact.

Impact

Exploitation of this vulnerability could lead to reflected cross-site scripting, allowing for the execution of malicious scripts in the context of the user's session.

Remediation

Users can upgrade to PAN-OS 11.2.7 or later, PAN-OS 11.1.11 or later, or PAN-OS 10.2.17 or later. For PAN-OS 10.1, users should upgrade to 10.2.17 or later. Customers with a Threat Prevention subscription can block attacks by enabling Threat ID 510003 and 510004.