Palo Alto Networks PAN-OS 7.0.x < 7.0.8 Multiple Vulnerabilities (PAN-SA-2016-0008 / PAN-SA-2016-0009)
Medium Nessus Plugin ID 92942
SynopsisThe remote host is affected by multiple vulnerabilities.
DescriptionThe version of Palo Alto Networks PAN-OS running on the remote host is 7.0.x prior to 7.0.8. It is, therefore, affected by the following vulnerabilities :
- A denial of service vulnerability exists in the API hosted on the management interface, specifically in the panUserLogin() function within panmodule.so, due to improper validation of user-supplied input to the 'username' and 'password' parameters. An unauthenticated, remote attacker can exploit this, via a crafted request, to cause the process to terminate.
- A cross-site scripting (XSS) vulnerability exists in the Application Command Center (ACC) due to improper sanitization of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.
SolutionUpgrade to Palo Alto Networks PAN-OS version 7.0.8 or later.