- 139/2023
- Medium
Palo Alto has released security updates to fix several vulnerabilities in PAN-OS and GlobalProtect App.
The addressed vulnerabilities could allow the attacker to execute a JavaScript payload in the context of an authenticated Captive Portal user’s browser or gain elevated privileges on the affected system.
The addressed vulnerabilities:
1. GlobalProtect App: Local Privilege Escalation Vulnerability (CVE-2023-0009):
- CVSS: 6.7
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Privileges
2. PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (CVE-2023-0010):
- CVSS: 5.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2023-0009
- CVE-2023-0010
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.