PaloAlto has issued a patch for a XSS attack on the captive portal that I disclosed a few months back. The official advisory can be found here:

https://securityadvisories.paloaltonetworks.com/Home/Detail/66

(Detail taken from https://securityadvisories.paloaltonetworks.com/)

The attack has been given a CVSS score of 6.1:



(Screenshot taken from IBM X-Force: https://exchange.xforce.ibmcloud.com/vulnerabilities/118524)

Below follows the original report submitted to PaloAlto along with sample exploit code:

Version: PANOS 7.0.5

Summary: XSS issue in HTML used for the user login portal. An attacker can run arbitrary javascript by manipulating the username field. See attached screenshot

Steps to Reproduce:

Setup plain vanilla, standard HTTP captive portal, using the web form option A user will be presented with the default captive portal. As a username, enter something like (including all quotes):

“;alert (‘i can steal your cookies’);var test=”

Alert is shown (see screenshot below)

https://docs.google.com/document/d/1ySL-Md2d2p9oDIHsFU-WRpyTqbHZOKkWW-VDFmEQiWY/pub