阿里云漏洞库

漏洞描述

A reflected cross-site scripting (XSS) vulnerability in the Palo Alto Network PAN-OS web interface enables an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performs arbitrary actions in the PAN-OS web interface as the targeted authenticated administrator. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.20; PAN-OS 9.0 versions earlier than 9.0.14; PAN-OS 9.1 versions earlier than 9.1.10; PAN-OS 10.0 versions earlier than 10.0.2. This issue does not affect Prisma Access.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://security.paloaltonetworks.com/CVE-2021-3052

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	fedora_32	chromium	*		Up to (excluding) 90.0.4430.212-1.fc32
	运行在以下环境
	系统	fedora_33	chromium	*		Up to (excluding) 90.0.4430.212-1.fc33
	运行在以下环境
	系统	fedora_34	chromium	*		Up to (excluding) 91.0.4472.114-1.fc34
	运行在以下环境
	系统	fedora_EPEL_7	chromium	*		Up to (excluding) 90.0.4430.212-1.el7
	运行在以下环境
	系统	fedora_EPEL_8	chromium	*		Up to (excluding) 90.0.4430.212-1.el8
	运行在以下环境
	系统	opensuse_Leap_15.2	opera	*		Up to (excluding) 76.0.4017.154-lp152.2.49.1
	运行在以下环境
	系统	opensuse_Leap_15.3	opera	*		Up to (excluding) 76.0.4017.154-lp153.2.3.1
	运行在以下环境
	系统	opensuse_Leap_15.4	opera	*		Up to (excluding) 85.0.4341.28-lp154.2.5.1
	运行在以下环境
	系统	paloaltonetworks	pan-os	*	From (including) 10.0.0	Up to (excluding) 10.0.2
	运行在以下环境
	系统	paloaltonetworks	pan-os	*	From (including) 8.1.0	Up to (excluding) 8.1.20
	运行在以下环境
	系统	paloaltonetworks	pan-os	*	From (including) 9.0.0	Up to (excluding) 9.0.14
	运行在以下环境
	系统	paloaltonetworks	pan-os	*	From (including) 9.1.0	Up to (excluding) 9.1.10

攻击路径

网络
攻击复杂度

低
权限要求

低
影响范围

未更改
用户交互

需要
可用性

高
保密性

高
完整性

高

CWE-ID	漏洞类型
CWE-79	在Web页面生成时对输入的转义处理不恰当（跨站脚本）

paloaltonetworks pan-os 在web页面生成时对输入的转义处理不恰当（跨站脚本）

漏洞描述

解决建议

参考链接

受影响软件情况