CVE-2021-3052: 
PAN-OS vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in the Palo Alto Network PAN-OS web interface (CVE-2021-3052). The vulnerability enables an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performs arbitrary actions in the PAN-OS web interface as the targeted authenticated administrator. This issue affects PAN-OS versions 8.1 (earlier than 8.1.20), 9.0 (earlier than 9.0.14), 9.1 (earlier than 9.1.10), and 10.0 (earlier than 10.0.2). The vulnerability does not affect Prisma Access (Palo Alto Advisory).

The vulnerability is classified as CWE-79 (Cross-site Scripting). It has a CVSSv3.1 Base Score of 8.0 HIGH with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The attack requires network access, low attack complexity, low privileges, and user interaction (NVD Details).

If successfully exploited, this vulnerability could allow an attacker to perform arbitrary actions in the PAN-OS web interface with the privileges of a targeted authenticated administrator. This could potentially lead to high impacts on confidentiality, integrity, and availability of the system (Palo Alto Advisory).

The vulnerability has been fixed in PAN-OS versions 9.0.14, 8.1.20, 9.1.10, 10.0.2, 10.1.0, and all later versions. As a workaround, administrators can enable signatures for Unique Threat IDs 91573, 91574, 91575, 91576 on traffic destined for the web interface to block attacks. Additionally, following best practices for securing the PAN-OS web interface is recommended (Palo Alto Advisory).