CVE-2023-0010: 
PAN-OS vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in the Captive Portal feature of Palo Alto Networks PAN-OS software, identified as CVE-2023-0010. The vulnerability was discovered by the Lockheed Martin Red Team and publicly disclosed on June 14, 2023. This security flaw affects multiple versions of PAN-OS software including versions 8.1, 9.0, 9.1, 10.0, 10.1, and 10.2, specifically when configured to use Captive Portal authentication (Palo Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium severity) with the following metrics: Network Attack Vector, Low Attack Complexity, Low Privileges Required, No User Interaction, Unchanged Scope, Low Confidentiality Impact, Low Integrity Impact, and No Availability Impact. The weakness is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). On PAN-OS 10.0 and later versions, the vulnerability only applies to firewalls that have disabled the default token generation for Captive Portal authentication (Palo Advisory).

When exploited, this vulnerability allows a JavaScript payload to be executed in the context of an authenticated Captive Portal user's browser when they click on a specifically crafted link. This could potentially lead to unauthorized access to user data or manipulation of the user's browser session (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 8.1.24, 9.0.17, 9.1.16, 10.0.11, 10.1.6, 10.2.2, and all later PAN-OS versions. For customers with a Threat Prevention subscription, attacks can be blocked by enabling Threat ID 92065 (Applications and Threats content update 8722). Administrators can verify if their system is vulnerable by running the command 'show deviceconfig setting captive-portal' (Palo Advisory).