-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0141
                           XSS patched in PAN-OS
                               28 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PAN-OS
Operating System:     Network Appliance
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-7636  
Member content until: Saturday, July 28 2018

OVERVIEW

        Palo Alto Networks has addressed a Cross-Site Scripting (XSS)
        vulnerability in PAN-OS. [1] 


IMPACT

        The vendor has provided the following details regarding the issue:
        "A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS URL
        filtering "continue page" (Ref # PAN-OS 90835, CVE-2018-7636).
        PAN-OS software does not properly validate specific request
        parameters.
        
        Successful exploitation of this issue may allow an attacker to
        inject arbitrary JavaScript or HTML in specially crafted URLs that
        link to a URL filtering “continue page” hosted by the firewall." [1]


MITIGATION

        The vendor advises updating appliances running PAN-OS 8.0.x to
        version 8.0.11. [1] 


REFERENCES

        [1] Security Advisory 122
            https://securityadvisories.paloaltonetworks.com/Home/Detail/122

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzRg7GaOgq3Tt24GAQgmsA/+NKF+97qo+q494Usm3gVZ+VDzLJgbqoim
/56i+Vr3YKHKwOLHSiKGZcHpCkOBCfA8PdT90xyPhanr7X/leKe00tmJxkgLTq4i
37iFkgnzqrIqXJoYRDtBgPzpJauQBFtG+fVzmbYlFkexu92zpO/RR6rhzqXpA+i4
nLDe4hvMxfbzrcYlh9a6+VoW3n1UkbBg5T5/2xTYHXhn9zhDGJAH4oTZ/C4Mj66L
GtytewPUpAJ5FKOQiO+i009GABL6OWBMYo8k+VdzASLZIKMh964duVjzUOHWXwWz
XXLka8XXY1Iz0HCGuVdCnuwl1tUTjvOz1+f7/MuCQZXxN0G3iWqFcp2phRtGAcel
2Pl7HLoG7Ei8Cw9JO4sIEgvEb/gCcu0kKKlZsOtChiIXC+tqybs9DReVMjmnBEIt
eOYmibtPX8Lalm+LcoX7lZ1pMllI8ofIkP340B5WAz3A9AJUeDTtIzuEc8UP+U3H
mcpRdo3jW9YJsO6cNyY9qrK+avddWIF7P4FBMP70OGuFjTjhotiwTma5fKZ2LxCx
Q1AI0+M5nkB4155N1kGmsktfcp61D9qG+H6jOxwObp4x7JwocdKiDL19buziB+DV
5u5ILywh3E2L+uG+mmao2+ZVzGbNtOiIbcDadqBjdg98q1BLkcvUFgdElByRltsc
bu5KXWlTJrc=
=C67i
-----END PGP SIGNATURE-----