Impact
A reflected cross‑site scripting (XSS) vulnerability in the GlobalProtect gateway and portal features allows an attacker to execute malicious JavaScript in the context of an authenticated Captive Portal user's browser when a specially crafted link is clicked. This enables phishing attacks that can lead to credential theft. No availability or configuration changes to the portal or gateway can be performed through this vulnerability; the impact is limited to in‑browser credential theft.
Affected Systems
Palo Alto Networks Cloud NGFW, PAN‑OS, and Prisma Access appliances are affected. Vulnerable versions include PAN‑OS 10.1.0 through 10.1.14, PAN‑OS 10.2.0 through 10.2.16, PAN‑OS 11.1.0 through 11.1.10, and PAN‑OS 11.2.0 through 11.2.6, as well as any older unsupported PAN‑OS releases. The vulnerability is remediated by upgrading to the fixed releases specified by Palo Alto Networks: upgrade to version 11.2.4‑h9 or later or 11.2.7 or later; upgrade to 11.1.6‑h14 or later or 11.1.10‑h1 or later; upgrade to 10.2.16‑h1 or later; and upgrade to any newer supported release.
Risk and Exploitability
The CVSS score of 2.7 indicates low severity, but the EPSS score of 44% indicates a significant likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would require an authenticated captive portal user's click on a crafted link; they could inject JavaScript to steal credentials. No integrity or availability impact beyond credential theft.
OpenCVE Enrichment
EUVD