CVE-2024-0010

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Feb 14, 2024 / Updated: 9mo ago

010
CVSS 4.3EPSS 0.04%Medium
CVE info copied to clipboard

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of a user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-0010

Feb 14, 2024 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2024-0010. See article

Feb 14, 2024 at 6:21 PM / National Vulnerability Database
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (190586)

Feb 15, 2024 at 2:15 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 6.7%)

Feb 15, 2024 at 2:33 PM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/globalprotect
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

Update Fri Jul 19 22:28:32 UTC 2024
Update Fri Jul 19 22:28:32 UTC 2024
[no-title]
10 N CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect none none none none All >= 11.1.2-h3 (See additional hotfixes in Solution section) >= 11.0.4-h1 (See additional hotfixes in Solution section) >= 10.2.9-h1 (See additional hotfixes in Solution section) All All all 2024-04-12 2024-04-15 8.3 N CVE-2024-3383 PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE) none none none none All All >= 11.0.3 >= 10.2.5 >= 10.1.11 All all 2024-04-10 2024-04-10 8.2 N CVE-2024-3385 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled Cloud NGFW PAN-OS 11.1 PAN-OS 11.0 PAN-OS 10.2 PAN-OS 10.1 PAN-OS 9.1 PAN-OS 9.0 Prisma Access none none none All All >= 11.0.3 >= 10.2.8 >= 10.1.12 >= 9.1.17 >= 9.0.17-h4 All 2024-04-10 2024-04-10 8.2 CVE-2024-3382 PAN-OS: Firewall Denial of Service (DoS) via a Burst of Crafted Packets none none none none All >= 11.1.2 >= 11.0.4 >= 10.2.7-h3 All All all 2024-04-10 2024-04-10 8.2 N CVE-2024-3384 PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM Packets none none none none All All All >= 10.0.12 >= 9.1.15-h1 >= 9.0.17 >= 8.1.24 all 2024-04-10 2024-04-10 6.9 N CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended Cloud NGFW PAN-OS 11.1 PAN-OS 11.0 PAN-OS 10.2 PAN-OS 10.1 PAN-OS 10.0 PAN-OS 9.1 PAN-OS 9.0 Prisma Access none none none All All >= 11.0.1-h2, >= 11.0.2 >= 10.2.4-h2, >= 10.2.5 >= 10.1.9-h3, >= 10.1.10 >= 10.0.13 >= 9.1.17 >= 9.0.17-h2 All 2024-04-10 2024-04-10 6 CVE-2024-3387 PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure none none none none All All >= 11.0.4 on Panorama >= 10.2.7-h3 on Panorama, >= 10.2.8 on Panorama >= 10.1.12 on Panorama All all 2024-04-10 2024-04-10 5.1 CVE-2024-3388 PAN-OS: User Impersonation in GlobalProtect SSL VPN Cloud NGFW PAN-OS 11.1 PAN-OS 11.0 PAN-OS 10.2 PAN-OS 10.1 PAN-OS 9.1 PAN-OS 9.0 PAN-OS 8.1 Prisma Access none none All All >= 11.0.3 >= 10.2.7-h3 >= 10.1.11-h4 >= 9.1.17 >= 9.0.17-h4 >= 8.1.26 >= 10.2.4 2024-04-10 2024-04-10 i PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS Versions prior to those listed above 2024-04-10 i PAN-SA-2024-0003 Informational Bulletin:
Update Wed Mar 20 02:01:01 UTC 2024
Update Wed Mar 20 02:01:01 UTC 2024
Rewterz Threat Advisory – Multiple Palo Alto Networks PAN-OS Vulnerabilities
Palo Alto Networks PAN-OS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the GlobalProtect portal feature. Palo Alto Networks PAN-OS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web interface on Panorama appliances.
Update Mon Mar 4 10:16:34 UTC 2024
Update Mon Mar 4 10:16:34 UTC 2024
See 14 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI