{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0133", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2024-12-20T23:23:33.828Z", "datePublished": "2025-05-14T18:07:36.381Z", "dateUpdated": "2026-04-02T23:38:11.074Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2026-04-02T23:38:11.074Z"}, "title": "PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal", "datePublic": "2025-05-14T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [{"status": "affected", "version": "All", "lessThan": "11.2.8", "changes": [{"at": "11.2.8", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "affected", "version": "11.2.0", "lessThan": "11.2.7", "changes": [{"at": "11.2.7", "status": "unaffected"}, {"at": "11.2.4-h9", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "11.1.0", "lessThan": "11.1.6-h14", "changes": [{"at": "11.1.10-h1", "status": "unaffected"}, {"at": "11.1.6-h14", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "10.2.0", "lessThan": "10.2.16-h1", "changes": [{"at": "10.2.16-h1", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "10.1.0", "versionType": "custom"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"]}, {"vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [{"status": "affected", "version": "All", "versionType": "custom"}], "defaultStatus": "affected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:cloud_ngfw:*:*:*:*:*:*:*:*", "versionStartIncluding": "all", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.2.7", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.2.4-h9", "versionStartIncluding": "11.2.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.1.10-h1", "versionStartIncluding": "11.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.1.6-h14", "versionStartIncluding": "11.1.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.2.16-h1", "versionStartIncluding": "10.2.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*", "versionStartIncluding": "all", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect\u2122 gateway and portal features of Palo Alto Networks PAN-OS\u00ae software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft\u2014particularly if you enabled Clientless VPN.\n\nThere is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.\n\n\n\nFor GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p></p><p><span>A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect\u2122 gateway and portal features of Palo Alto Networks PAN-OS\u00ae software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft\u2014particularly if you enabled Clientless VPN.</span></p><p><span>There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.</span></p><p></p><p>For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\">PAN-SA-2025-0005</a><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\"></a>. There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.</p>"}]}], "references": [{"url": "https://security.paloaltonetworks.com/CVE-2025-0133", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "Without Clientless VPN"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "LOW", "baseScore": 1.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "With Clientless VPN enabled, there are inherent risks that facilitate credential stealing (enumerated in PAN-SA-2025-0005)."}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:D/RE:M/U:Amber"}}], "configurations": [{"lang": "en", "value": "This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect gateway or portal.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect gateway or portal."}]}], "workarounds": [{"lang": "en", "value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510003 and 510004 from Applications and Threats content version 8995.\n\nFor all Cloud NGFW, PAN-OS, and Prisma Access deployments, it is crucial to ensure that Vulnerability Protection profiles are explicitly applied to the security rules that process traffic from GlobalProtect interfaces. This ensures the Threat Prevention signatures are actively enforced. For detailed guidance on applying Vulnerability Protection to GlobalProtect interfaces, please refer to: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184.\n\n\nYou can also disable Clientless VPN to reduce impact in the event of exploitation, though this will not block the exploit in it's entirety. For more information, review the security advisory\u00a0PAN-SA-2025-0005 (https://security.paloaltonetworks.com/PAN-SA-2025-0005).\n\nPrevious versions of this advisory have listed the recommended content version as 8970 and 8990. We now recommend 8995 as it has the latest updates to the signatures to cover additional exploit variants.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510003 and 510004 from Applications and Threats content version 8995.</p><p>For all Cloud NGFW, PAN-OS, and Prisma Access deployments, it is crucial to ensure that Vulnerability Protection profiles are explicitly applied to the security rules that process traffic from GlobalProtect interfaces. This ensures the Threat Prevention signatures are actively enforced. For detailed guidance on applying Vulnerability Protection to GlobalProtect interfaces, please refer to: <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184\">https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184</a>.<br></p><p>You can also disable Clientless VPN to reduce impact in the event of exploitation, though this will not block the exploit in it's entirety. For more information, review the security advisory&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\">PAN-SA-2025-0005</a>.</p><i>Previous versions of this advisory have listed the recommended content version as 8970 and 8990. We now recommend 8995 as it has the latest updates to the signatures to cover additional exploit variants.&nbsp;</i>"}]}], "solutions": [{"lang": "eng", "value": "VERSION MINOR VERSION SUGGESTED SOLUTION\nPAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.4-h9 or later\n\u00a0 11.2.5 through 11.2.6 Upgrade to 11.2.7 or later\nPAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h14 or later\n\u00a0 11.1.7 through 11.1.10 Upgrade to 11.1.10-h1 or later\nPAN-OS 10.2 10.2.0 through 10.2.16 Upgrade to 10.2.16-h1 or later\nPAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.2.16-h1 or later\nAll other older unsupported PAN-OS versions Upgrade to a supported fixed version\n\nPAN-OS 10.1 is in\u00a0L (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy)imited Support (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy)\u00a0and reaches\u00a0Software EOL (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary)in March 2026.\n\nhttps://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<table><thead><tr><th>Version</th><th>Minor Version</th><th>Suggested Solution</th></tr></thead><tbody><tr><td>PAN-OS 11.2</td><td>11.2.0 through 11.2.4</td><td>Upgrade to 11.2.4-h9 or later</td></tr><tr><td>&nbsp;</td><td>11.2.5 through 11.2.6</td><td>Upgrade to 11.2.7 or later</td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.6</td><td>Upgrade to 11.1.6-h14 or later</td></tr><tr><td>&nbsp;</td><td>11.1.7 through 11.1.10</td><td>Upgrade to 11.1.10-h1 or later</td></tr><tr><td>PAN-OS 10.2</td><td>10.2.0 through 10.2.16</td><td>Upgrade to 10.2.16-h1 or later</td></tr><tr><td>PAN-OS 10.1</td><td>10.1.0 through 10.1.14</td><td>Upgrade to 10.2.16-h1 or later</td></tr><tr><td>All other older unsupported PAN-OS versions<br></td><td><br></td><td>Upgrade to a supported fixed version<br></td></tr></tbody></table><p>PAN-OS 10.1 is in&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\">L</a><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\">imited Support</a>&nbsp;and reaches&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary\">Software EOL </a>in March 2026.</p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\"></a>"}]}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.&nbsp;"}]}], "timeline": [{"time": "2025-07-09T16:00:00.000Z", "lang": "en", "value": "Added fix version for PAN-OS 10.2."}, {"time": "2025-07-04T06:30:00.000Z", "lang": "en", "value": "Added Releases with the Software Fix, Updated Recommended Content Version, and Added Guidance for Prisma Access."}, {"time": "2025-06-18T19:15:00.000Z", "lang": "en", "value": "Changed Content Version for Mitigation and Updated Version ETAs"}, {"time": "2025-05-21T20:30:00.000Z", "lang": "en", "value": "Removed Cloud NGFW from Affected Products"}, {"time": "2025-05-21T00:00:00.000Z", "lang": "en", "value": "Removed Prisma Access from Affected Products."}, {"time": "2025-05-15T20:00:00.000Z", "lang": "en", "value": "Changed Expected Fix Release for PAN-OS 11.2"}, {"time": "2025-05-15T19:00:00.000Z", "lang": "en", "value": "Added Prisma Access and Cloud NGFW to Affected Products."}, {"time": "2025-05-14T16:00:00.000Z", "lang": "en", "value": "Initial Publication"}], "credits": [{"lang": "en", "value": "XBOW", "type": "finder"}], "source": {"defect": ["PAN-287002"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_affectedList": ["PAN-OS 11.2.6", "PAN-OS 11.2.5", "PAN-OS 11.2.4-h8", "PAN-OS 11.2.4-h7", "PAN-OS 11.2.4-h6", "PAN-OS 11.2.4-h5", "PAN-OS 11.2.4-h4", "PAN-OS 11.2.4-h3", "PAN-OS 11.2.4-h2", "PAN-OS 11.2.4-h1", "PAN-OS 11.2.4", "PAN-OS 11.2.3-h5", "PAN-OS 11.2.3-h4", "PAN-OS 11.2.3-h3", "PAN-OS 11.2.3-h2", "PAN-OS 11.2.3-h1", "PAN-OS 11.2.3", "PAN-OS 11.2.2-h2", "PAN-OS 11.2.2-h1", "PAN-OS 11.2.1-h1", "PAN-OS 11.2.1", "PAN-OS 11.2.0-h1", "PAN-OS 11.2.0", "PAN-OS 11.1.10", "PAN-OS 11.1.9", "PAN-OS 11.1.8", "PAN-OS 11.1.6-h10", "PAN-OS 11.1.6-h7", "PAN-OS 11.1.6-h6", "PAN-OS 11.1.6-h4", "PAN-OS 11.1.6-h3", "PAN-OS 11.1.6-h2", "PAN-OS 11.1.6-h1", "PAN-OS 11.1.6", "PAN-OS 11.1.5-h1", "PAN-OS 11.1.5", "PAN-OS 11.1.4-h27", "PAN-OS 11.1.4-h25", "PAN-OS 11.1.4-h18", "PAN-OS 11.1.4-h17", "PAN-OS 11.1.4-h15", "PAN-OS 11.1.4-h13", "PAN-OS 11.1.4-h12", "PAN-OS 11.1.4-h11", "PAN-OS 11.1.4-h10", "PAN-OS 11.1.4-h9", "PAN-OS 11.1.4-h8", "PAN-OS 11.1.4-h7", "PAN-OS 11.1.4-h6", "PAN-OS 11.1.4-h5", "PAN-OS 11.1.4-h4", "PAN-OS 11.1.4-h3", "PAN-OS 11.1.4-h2", "PAN-OS 11.1.4-h1", "PAN-OS 11.1.4", "PAN-OS 11.1.3-h13", "PAN-OS 11.1.3-h12", "PAN-OS 11.1.3-h11", "PAN-OS 11.1.3-h10", "PAN-OS 11.1.3-h9", "PAN-OS 11.1.3-h8", "PAN-OS 11.1.3-h7", "PAN-OS 11.1.3-h6", "PAN-OS 11.1.3-h5", "PAN-OS 11.1.3-h4", "PAN-OS 11.1.3-h3", "PAN-OS 11.1.3-h2", "PAN-OS 11.1.3-h1", "PAN-OS 11.1.3", "PAN-OS 11.1.2-h18", "PAN-OS 11.1.2-h17", "PAN-OS 11.1.2-h16", "PAN-OS 11.1.2-h15", "PAN-OS 11.1.2-h14", "PAN-OS 11.1.2-h13", "PAN-OS 11.1.2-h12", "PAN-OS 11.1.2-h11", "PAN-OS 11.1.2-h10", "PAN-OS 11.1.2-h9", "PAN-OS 11.1.2-h8", "PAN-OS 11.1.2-h7", "PAN-OS 11.1.2-h6", "PAN-OS 11.1.2-h5", "PAN-OS 11.1.2-h4", "PAN-OS 11.1.2-h3", "PAN-OS 11.1.2-h2", "PAN-OS 11.1.2-h1", "PAN-OS 11.1.2", "PAN-OS 11.1.1-h2", "PAN-OS 11.1.1-h1", "PAN-OS 11.1.1", "PAN-OS 11.1.0-h4", "PAN-OS 11.1.0-h3", "PAN-OS 11.1.0-h2", "PAN-OS 11.1.0-h1", "PAN-OS 11.1.0", "PAN-OS 10.2.16", "PAN-OS 10.2.15", "PAN-OS 10.2.14-h1", "PAN-OS 10.2.14", "PAN-OS 10.2.13-h18", "PAN-OS 10.2.13-h16", "PAN-OS 10.2.13-h15", "PAN-OS 10.2.13-h10", "PAN-OS 10.2.13-h7", "PAN-OS 10.2.13-h5", "PAN-OS 10.2.13-h4", "PAN-OS 10.2.13-h3", "PAN-OS 10.2.13-h2", "PAN-OS 10.2.13-h1", "PAN-OS 10.2.13", "PAN-OS 10.2.12-h6", "PAN-OS 10.2.12-h5", "PAN-OS 10.2.12-h4", "PAN-OS 10.2.12-h3", "PAN-OS 10.2.12-h2", "PAN-OS 10.2.12-h1", "PAN-OS 10.2.12", "PAN-OS 10.2.11-h13", "PAN-OS 10.2.11-h12", "PAN-OS 10.2.11-h11", "PAN-OS 10.2.11-h10", "PAN-OS 10.2.11-h9", "PAN-OS 10.2.11-h8", "PAN-OS 10.2.11-h7", "PAN-OS 10.2.11-h6", "PAN-OS 10.2.11-h5", "PAN-OS 10.2.11-h4", "PAN-OS 10.2.11-h3", "PAN-OS 10.2.11-h2", "PAN-OS 10.2.11-h1", "PAN-OS 10.2.11", "PAN-OS 10.2.10-h31", "PAN-OS 10.2.10-h30", "PAN-OS 10.2.10-h27", "PAN-OS 10.2.10-h26", "PAN-OS 10.2.10-h23", "PAN-OS 10.2.10-h21", "PAN-OS 10.2.10-h18", "PAN-OS 10.2.10-h17", "PAN-OS 10.2.10-h14", "PAN-OS 10.2.10-h13", "PAN-OS 10.2.10-h12", "PAN-OS 10.2.10-h11", "PAN-OS 10.2.10-h10", "PAN-OS 10.2.10-h9", "PAN-OS 10.2.10-h8", "PAN-OS 10.2.10-h7", "PAN-OS 10.2.10-h6", "PAN-OS 10.2.10-h5", "PAN-OS 10.2.10-h4", "PAN-OS 10.2.10-h3", "PAN-OS 10.2.10-h2", "PAN-OS 10.2.10-h1", "PAN-OS 10.2.10", "PAN-OS 10.2.9-h21", "PAN-OS 10.2.9-h20", "PAN-OS 10.2.9-h19", "PAN-OS 10.2.9-h18", "PAN-OS 10.2.9-h17", "PAN-OS 10.2.9-h16", "PAN-OS 10.2.9-h15", "PAN-OS 10.2.9-h14", "PAN-OS 10.2.9-h13", "PAN-OS 10.2.9-h12", "PAN-OS 10.2.9-h11", "PAN-OS 10.2.9-h10", "PAN-OS 10.2.9-h9", "PAN-OS 10.2.9-h8", "PAN-OS 10.2.9-h7", "PAN-OS 10.2.9-h6", "PAN-OS 10.2.9-h5", "PAN-OS 10.2.9-h4", "PAN-OS 10.2.9-h3", "PAN-OS 10.2.9-h2", "PAN-OS 10.2.9-h1", "PAN-OS 10.2.9", "PAN-OS 10.2.8-h21", "PAN-OS 10.2.8-h20", "PAN-OS 10.2.8-h19", "PAN-OS 10.2.8-h18", "PAN-OS 10.2.8-h17", "PAN-OS 10.2.8-h16", "PAN-OS 10.2.8-h15", "PAN-OS 10.2.8-h14", "PAN-OS 10.2.8-h13", "PAN-OS 10.2.8-h12", "PAN-OS 10.2.8-h11", "PAN-OS 10.2.8-h10", "PAN-OS 10.2.8-h9", "PAN-OS 10.2.8-h8", "PAN-OS 10.2.8-h7", "PAN-OS 10.2.8-h6", "PAN-OS 10.2.8-h5", "PAN-OS 10.2.8-h4", "PAN-OS 10.2.8-h3", "PAN-OS 10.2.8-h2", "PAN-OS 10.2.8-h1", "PAN-OS 10.2.8", "PAN-OS 10.2.7-h32", "PAN-OS 10.2.7-h24", "PAN-OS 10.2.7-h23", "PAN-OS 10.2.7-h22", "PAN-OS 10.2.7-h21", "PAN-OS 10.2.7-h20", "PAN-OS 10.2.7-h19", "PAN-OS 10.2.7-h18", "PAN-OS 10.2.7-h17", "PAN-OS 10.2.7-h16", "PAN-OS 10.2.7-h15", "PAN-OS 10.2.7-h14", "PAN-OS 10.2.7-h13", "PAN-OS 10.2.7-h12", "PAN-OS 10.2.7-h11", "PAN-OS 10.2.7-h10", "PAN-OS 10.2.7-h9", "PAN-OS 10.2.7-h8", "PAN-OS 10.2.7-h7", "PAN-OS 10.2.7-h6", "PAN-OS 10.2.7-h5", "PAN-OS 10.2.7-h4", "PAN-OS 10.2.7-h3", "PAN-OS 10.2.7-h2", "PAN-OS 10.2.7-h1", "PAN-OS 10.2.7", "PAN-OS 10.2.6-h6", "PAN-OS 10.2.6-h5", "PAN-OS 10.2.6-h4", "PAN-OS 10.2.6-h3", "PAN-OS 10.2.6-h2", "PAN-OS 10.2.6-h1", "PAN-OS 10.2.6", "PAN-OS 10.2.5-h9", "PAN-OS 10.2.5-h8", "PAN-OS 10.2.5-h7", "PAN-OS 10.2.5-h6", "PAN-OS 10.2.5-h5", "PAN-OS 10.2.5-h4", "PAN-OS 10.2.5-h3", "PAN-OS 10.2.5-h2", "PAN-OS 10.2.5-h1", "PAN-OS 10.2.5", "PAN-OS 10.2.4-h32", "PAN-OS 10.2.4-h31", "PAN-OS 10.2.4-h30", "PAN-OS 10.2.4-h29", "PAN-OS 10.2.4-h28", "PAN-OS 10.2.4-h27", "PAN-OS 10.2.4-h26", "PAN-OS 10.2.4-h25", "PAN-OS 10.2.4-h24", "PAN-OS 10.2.4-h23", "PAN-OS 10.2.4-h22", "PAN-OS 10.2.4-h21", "PAN-OS 10.2.4-h20", "PAN-OS 10.2.4-h19", "PAN-OS 10.2.4-h18", "PAN-OS 10.2.4-h17", "PAN-OS 10.2.4-h16", "PAN-OS 10.2.4-h15", "PAN-OS 10.2.4-h14", "PAN-OS 10.2.4-h13", "PAN-OS 10.2.4-h12", "PAN-OS 10.2.4-h11", "PAN-OS 10.2.4-h10", "PAN-OS 10.2.4-h9", "PAN-OS 10.2.4-h8", "PAN-OS 10.2.4-h7", "PAN-OS 10.2.4-h6", "PAN-OS 10.2.4-h5", "PAN-OS 10.2.4-h4", "PAN-OS 10.2.4-h3", "PAN-OS 10.2.4-h2", "PAN-OS 10.2.4-h1", "PAN-OS 10.2.4", "PAN-OS 10.2.3-h14", "PAN-OS 10.2.3-h13", "PAN-OS 10.2.3-h12", "PAN-OS 10.2.3-h11", "PAN-OS 10.2.3-h10", "PAN-OS 10.2.3-h9", "PAN-OS 10.2.3-h8", "PAN-OS 10.2.3-h7", "PAN-OS 10.2.3-h6", "PAN-OS 10.2.3-h5", "PAN-OS 10.2.3-h4", "PAN-OS 10.2.3-h3", "PAN-OS 10.2.3-h2", "PAN-OS 10.2.3-h1", "PAN-OS 10.2.3", "PAN-OS 10.2.2-h6", "PAN-OS 10.2.2-h5", "PAN-OS 10.2.2-h4", "PAN-OS 10.2.2-h3", "PAN-OS 10.2.2-h2", "PAN-OS 10.2.2-h1", "PAN-OS 10.2.2", "PAN-OS 10.2.1-h3", "PAN-OS 10.2.1-h2", "PAN-OS 10.2.1-h1", "PAN-OS 10.2.1", "PAN-OS 10.2.0-h4", "PAN-OS 10.2.0-h3", "PAN-OS 10.2.0-h2", "PAN-OS 10.2.0-h1", "PAN-OS 10.2.0", "PAN-OS 10.1.14-h20", "PAN-OS 10.1.14-h19", "PAN-OS 10.1.14-h16", "PAN-OS 10.1.14-h15", "PAN-OS 10.1.14-h14", "PAN-OS 10.1.14-h13", "PAN-OS 10.1.14-h11", "PAN-OS 10.1.14-h10", "PAN-OS 10.1.14-h9", "PAN-OS 10.1.14-h8", "PAN-OS 10.1.14-h7", "PAN-OS 10.1.14-h6", "PAN-OS 10.1.14-h5", "PAN-OS 10.1.14-h4", "PAN-OS 10.1.14-h3", "PAN-OS 10.1.14-h2", "PAN-OS 10.1.14-h1", "PAN-OS 10.1.14", "PAN-OS 10.1.13-h5", "PAN-OS 10.1.13-h4", "PAN-OS 10.1.13-h3", "PAN-OS 10.1.13-h2", "PAN-OS 10.1.13-h1", "PAN-OS 10.1.13", "PAN-OS 10.1.12-h3", "PAN-OS 10.1.12-h2", "PAN-OS 10.1.12-h1", "PAN-OS 10.1.12", "PAN-OS 10.1.11-h10", "PAN-OS 10.1.11-h9", "PAN-OS 10.1.11-h8", "PAN-OS 10.1.11-h7", "PAN-OS 10.1.11-h6", "PAN-OS 10.1.11-h5", "PAN-OS 10.1.11-h4", "PAN-OS 10.1.11-h3", "PAN-OS 10.1.11-h2", "PAN-OS 10.1.11-h1", "PAN-OS 10.1.11", "PAN-OS 10.1.10-h9", "PAN-OS 10.1.10-h8", "PAN-OS 10.1.10-h7", "PAN-OS 10.1.10-h6", "PAN-OS 10.1.10-h5", "PAN-OS 10.1.10-h4", "PAN-OS 10.1.10-h3", "PAN-OS 10.1.10-h2", "PAN-OS 10.1.10-h1", "PAN-OS 10.1.10", "PAN-OS 10.1.9-h14", "PAN-OS 10.1.9-h13", "PAN-OS 10.1.9-h12", "PAN-OS 10.1.9-h11", "PAN-OS 10.1.9-h10", "PAN-OS 10.1.9-h9", "PAN-OS 10.1.9-h8", "PAN-OS 10.1.9-h7", "PAN-OS 10.1.9-h6", "PAN-OS 10.1.9-h5", "PAN-OS 10.1.9-h4", "PAN-OS 10.1.9-h3", "PAN-OS 10.1.9-h2", "PAN-OS 10.1.9-h1", "PAN-OS 10.1.9", "PAN-OS 10.1.8-h8", "PAN-OS 10.1.8-h7", "PAN-OS 10.1.8-h6", "PAN-OS 10.1.8-h5", "PAN-OS 10.1.8-h4", "PAN-OS 10.1.8-h3", "PAN-OS 10.1.8-h2", "PAN-OS 10.1.8-h1", "PAN-OS 10.1.8", "PAN-OS 10.1.7-h1", "PAN-OS 10.1.7", "PAN-OS 10.1.6-h9", "PAN-OS 10.1.6-h8", "PAN-OS 10.1.6-h7", "PAN-OS 10.1.6-h6", "PAN-OS 10.1.6-h5", "PAN-OS 10.1.6-h4", "PAN-OS 10.1.6-h3", "PAN-OS 10.1.6-h2", "PAN-OS 10.1.6-h1", "PAN-OS 10.1.6", "PAN-OS 10.1.5-h4", "PAN-OS 10.1.5-h3", "PAN-OS 10.1.5-h2", "PAN-OS 10.1.5-h1", "PAN-OS 10.1.5", "PAN-OS 10.1.4-h6", "PAN-OS 10.1.4-h5", "PAN-OS 10.1.4-h4", "PAN-OS 10.1.4-h3", "PAN-OS 10.1.4-h2", "PAN-OS 10.1.4-h1", "PAN-OS 10.1.4", "PAN-OS 10.1.3-h4", "PAN-OS 10.1.3-h3", "PAN-OS 10.1.3-h2", "PAN-OS 10.1.3-h1", "PAN-OS 10.1.3", "PAN-OS 10.1.2", "PAN-OS 10.1.1", "PAN-OS 10.1.0"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T20:51:07.672908Z", "id": "CVE-2025-0133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:51:15.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T20:51:07.672908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:51:12.264Z"}}], "cna": {"title": "PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal", "source": {"defect": ["PAN-287002"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "XBOW"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 1.2, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "Without Clientless VPN"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 2.7, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "With Clientless VPN enabled, there are inherent risks that facilitate credential stealing (enumerated in PAN-SA-2025-0005)."}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [{"status": "affected", "changes": [{"at": "11.2.8", "status": "unaffected"}], "version": "All", "lessThan": "11.2.8", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h8:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h7:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h6:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h5:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h4:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h10:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h7:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h6:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h4:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h3:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h2:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:h1:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:-:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"], "vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "affected", "changes": [{"at": "11.2.7", "status": "unaffected"}, {"at": "11.2.4-h9", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.7", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.1.10-h1", "status": "unaffected"}, {"at": "11.1.6-h14", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.6-h14", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.2.16-h1", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.16-h1", "versionType": "custom"}, {"status": "affected", "version": "10.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [{"status": "affected", "version": "All", "versionType": "custom"}], "defaultStatus": "affected"}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.&nbsp;", "base64": false}]}], "timeline": [{"lang": "en", "time": "2025-07-09T16:00:00.000Z", "value": "Added fix version for PAN-OS 10.2."}, {"lang": "en", "time": "2025-07-04T06:30:00.000Z", "value": "Added Releases with the Software Fix, Updated Recommended Content Version, and Added Guidance for Prisma Access."}, {"lang": "en", "time": "2025-06-18T19:15:00.000Z", "value": "Changed Content Version for Mitigation and Updated Version ETAs"}, {"lang": "en", "time": "2025-05-21T20:30:00.000Z", "value": "Removed Cloud NGFW from Affected Products"}, {"lang": "en", "time": "2025-05-21T00:00:00.000Z", "value": "Removed Prisma Access from Affected Products."}, {"lang": "en", "time": "2025-05-15T20:00:00.000Z", "value": "Changed Expected Fix Release for PAN-OS 11.2"}, {"lang": "en", "time": "2025-05-15T19:00:00.000Z", "value": "Added Prisma Access and Cloud NGFW to Affected Products."}, {"lang": "en", "time": "2025-05-14T16:00:00.000Z", "value": "Initial Publication"}], "solutions": [{"lang": "eng", "value": "VERSION MINOR VERSION SUGGESTED SOLUTION\nPAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.4-h9 or later\n\u00a0 11.2.5 through 11.2.6 Upgrade to 11.2.7 or later\nPAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h14 or later\n\u00a0 11.1.7 through 11.1.10 Upgrade to 11.1.10-h1 or later\nPAN-OS 10.2 10.2.0 through 10.2.16 Upgrade to 10.2.16-h1 or later\nPAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.2.16-h1 or later\nAll other older unsupported PAN-OS versions Upgrade to a supported fixed version\n\nPAN-OS 10.1 is in\u00a0L (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy)imited Support (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy)\u00a0and reaches\u00a0Software EOL (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary)in March 2026.\n\nhttps://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy", "supportingMedia": [{"type": "text/html", "value": "<table><thead><tr><th>Version</th><th>Minor Version</th><th>Suggested Solution</th></tr></thead><tbody><tr><td>PAN-OS 11.2</td><td>11.2.0 through 11.2.4</td><td>Upgrade to 11.2.4-h9 or later</td></tr><tr><td>&nbsp;</td><td>11.2.5 through 11.2.6</td><td>Upgrade to 11.2.7 or later</td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.6</td><td>Upgrade to 11.1.6-h14 or later</td></tr><tr><td>&nbsp;</td><td>11.1.7 through 11.1.10</td><td>Upgrade to 11.1.10-h1 or later</td></tr><tr><td>PAN-OS 10.2</td><td>10.2.0 through 10.2.16</td><td>Upgrade to 10.2.16-h1 or later</td></tr><tr><td>PAN-OS 10.1</td><td>10.1.0 through 10.1.14</td><td>Upgrade to 10.2.16-h1 or later</td></tr><tr><td>All other older unsupported PAN-OS versions<br></td><td><br></td><td>Upgrade to a supported fixed version<br></td></tr></tbody></table><p>PAN-OS 10.1 is in&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\">L</a><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\">imited Support</a>&nbsp;and reaches&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary\">Software EOL </a>in March 2026.</p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy\"></a>", "base64": false}]}], "datePublic": "2025-05-14T16:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2025-0133", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510003 and 510004 from Applications and Threats content version 8995.\n\nFor all Cloud NGFW, PAN-OS, and Prisma Access deployments, it is crucial to ensure that Vulnerability Protection profiles are explicitly applied to the security rules that process traffic from GlobalProtect interfaces. This ensures the Threat Prevention signatures are actively enforced. For detailed guidance on applying Vulnerability Protection to GlobalProtect interfaces, please refer to: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184.\n\n\nYou can also disable Clientless VPN to reduce impact in the event of exploitation, though this will not block the exploit in it's entirety. For more information, review the security advisory\u00a0PAN-SA-2025-0005 (https://security.paloaltonetworks.com/PAN-SA-2025-0005).\n\nPrevious versions of this advisory have listed the recommended content version as 8970 and 8990. We now recommend 8995 as it has the latest updates to the signatures to cover additional exploit variants.", "supportingMedia": [{"type": "text/html", "value": "<p>Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510003 and 510004 from Applications and Threats content version 8995.</p><p>For all Cloud NGFW, PAN-OS, and Prisma Access deployments, it is crucial to ensure that Vulnerability Protection profiles are explicitly applied to the security rules that process traffic from GlobalProtect interfaces. This ensures the Threat Prevention signatures are actively enforced. For detailed guidance on applying Vulnerability Protection to GlobalProtect interfaces, please refer to: <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184\">https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184</a>.<br></p><p>You can also disable Clientless VPN to reduce impact in the event of exploitation, though this will not block the exploit in it's entirety. For more information, review the security advisory&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\">PAN-SA-2025-0005</a>.</p><i>Previous versions of this advisory have listed the recommended content version as 8970 and 8990. We now recommend 8995 as it has the latest updates to the signatures to cover additional exploit variants.&nbsp;</i>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect\u2122 gateway and portal features of Palo Alto Networks PAN-OS\u00ae software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft\u2014particularly if you enabled Clientless VPN.\n\nThere is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.\n\n\n\nFor GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p><span>A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect\u2122 gateway and portal features of Palo Alto Networks PAN-OS\u00ae software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft\u2014particularly if you enabled Clientless VPN.</span></p><p><span>There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.</span></p><p></p><p>For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\">PAN-SA-2025-0005</a><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/PAN-SA-2025-0005\"></a>. There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "configurations": [{"lang": "en", "value": "This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect gateway or portal.", "supportingMedia": [{"type": "text/html", "value": "This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect gateway or portal.", "base64": false}]}], "x_affectedList": ["PAN-OS 11.2.6", "PAN-OS 11.2.5", "PAN-OS 11.2.4-h8", "PAN-OS 11.2.4-h7", "PAN-OS 11.2.4-h6", "PAN-OS 11.2.4-h5", "PAN-OS 11.2.4-h4", "PAN-OS 11.2.4-h3", "PAN-OS 11.2.4-h2", "PAN-OS 11.2.4-h1", "PAN-OS 11.2.4", "PAN-OS 11.2.3-h5", "PAN-OS 11.2.3-h4", "PAN-OS 11.2.3-h3", "PAN-OS 11.2.3-h2", "PAN-OS 11.2.3-h1", "PAN-OS 11.2.3", "PAN-OS 11.2.2-h2", "PAN-OS 11.2.2-h1", "PAN-OS 11.2.1-h1", "PAN-OS 11.2.1", "PAN-OS 11.2.0-h1", "PAN-OS 11.2.0", "PAN-OS 11.1.10", "PAN-OS 11.1.9", "PAN-OS 11.1.8", "PAN-OS 11.1.6-h10", "PAN-OS 11.1.6-h7", "PAN-OS 11.1.6-h6", "PAN-OS 11.1.6-h4", "PAN-OS 11.1.6-h3", "PAN-OS 11.1.6-h2", "PAN-OS 11.1.6-h1", "PAN-OS 11.1.6", "PAN-OS 11.1.5-h1", "PAN-OS 11.1.5", "PAN-OS 11.1.4-h27", "PAN-OS 11.1.4-h25", "PAN-OS 11.1.4-h18", "PAN-OS 11.1.4-h17", "PAN-OS 11.1.4-h15", "PAN-OS 11.1.4-h13", "PAN-OS 11.1.4-h12", "PAN-OS 11.1.4-h11", "PAN-OS 11.1.4-h10", "PAN-OS 11.1.4-h9", "PAN-OS 11.1.4-h8", "PAN-OS 11.1.4-h7", "PAN-OS 11.1.4-h6", "PAN-OS 11.1.4-h5", "PAN-OS 11.1.4-h4", "PAN-OS 11.1.4-h3", "PAN-OS 11.1.4-h2", "PAN-OS 11.1.4-h1", "PAN-OS 11.1.4", "PAN-OS 11.1.3-h13", "PAN-OS 11.1.3-h12", "PAN-OS 11.1.3-h11", "PAN-OS 11.1.3-h10", "PAN-OS 11.1.3-h9", "PAN-OS 11.1.3-h8", "PAN-OS 11.1.3-h7", "PAN-OS 11.1.3-h6", "PAN-OS 11.1.3-h5", "PAN-OS 11.1.3-h4", "PAN-OS 11.1.3-h3", "PAN-OS 11.1.3-h2", "PAN-OS 11.1.3-h1", "PAN-OS 11.1.3", "PAN-OS 11.1.2-h18", "PAN-OS 11.1.2-h17", "PAN-OS 11.1.2-h16", "PAN-OS 11.1.2-h15", "PAN-OS 11.1.2-h14", "PAN-OS 11.1.2-h13", "PAN-OS 11.1.2-h12", "PAN-OS 11.1.2-h11", "PAN-OS 11.1.2-h10", "PAN-OS 11.1.2-h9", "PAN-OS 11.1.2-h8", "PAN-OS 11.1.2-h7", "PAN-OS 11.1.2-h6", "PAN-OS 11.1.2-h5", "PAN-OS 11.1.2-h4", "PAN-OS 11.1.2-h3", "PAN-OS 11.1.2-h2", "PAN-OS 11.1.2-h1", "PAN-OS 11.1.2", "PAN-OS 11.1.1-h2", "PAN-OS 11.1.1-h1", "PAN-OS 11.1.1", "PAN-OS 11.1.0-h4", "PAN-OS 11.1.0-h3", "PAN-OS 11.1.0-h2", "PAN-OS 11.1.0-h1", "PAN-OS 11.1.0", "PAN-OS 10.2.16", "PAN-OS 10.2.15", "PAN-OS 10.2.14-h1", "PAN-OS 10.2.14", "PAN-OS 10.2.13-h18", "PAN-OS 10.2.13-h16", "PAN-OS 10.2.13-h15", "PAN-OS 10.2.13-h10", "PAN-OS 10.2.13-h7", "PAN-OS 10.2.13-h5", "PAN-OS 10.2.13-h4", "PAN-OS 10.2.13-h3", "PAN-OS 10.2.13-h2", "PAN-OS 10.2.13-h1", "PAN-OS 10.2.13", "PAN-OS 10.2.12-h6", "PAN-OS 10.2.12-h5", "PAN-OS 10.2.12-h4", "PAN-OS 10.2.12-h3", "PAN-OS 10.2.12-h2", "PAN-OS 10.2.12-h1", "PAN-OS 10.2.12", "PAN-OS 10.2.11-h13", "PAN-OS 10.2.11-h12", "PAN-OS 10.2.11-h11", "PAN-OS 10.2.11-h10", "PAN-OS 10.2.11-h9", "PAN-OS 10.2.11-h8", "PAN-OS 10.2.11-h7", "PAN-OS 10.2.11-h6", "PAN-OS 10.2.11-h5", "PAN-OS 10.2.11-h4", "PAN-OS 10.2.11-h3", "PAN-OS 10.2.11-h2", "PAN-OS 10.2.11-h1", "PAN-OS 10.2.11", "PAN-OS 10.2.10-h31", "PAN-OS 10.2.10-h30", "PAN-OS 10.2.10-h27", "PAN-OS 10.2.10-h26", "PAN-OS 10.2.10-h23", "PAN-OS 10.2.10-h21", "PAN-OS 10.2.10-h18", "PAN-OS 10.2.10-h17", "PAN-OS 10.2.10-h14", "PAN-OS 10.2.10-h13", "PAN-OS 10.2.10-h12", "PAN-OS 10.2.10-h11", "PAN-OS 10.2.10-h10", "PAN-OS 10.2.10-h9", "PAN-OS 10.2.10-h8", "PAN-OS 10.2.10-h7", "PAN-OS 10.2.10-h6", "PAN-OS 10.2.10-h5", "PAN-OS 10.2.10-h4", "PAN-OS 10.2.10-h3", "PAN-OS 10.2.10-h2", "PAN-OS 10.2.10-h1", "PAN-OS 10.2.10", "PAN-OS 10.2.9-h21", "PAN-OS 10.2.9-h20", "PAN-OS 10.2.9-h19", "PAN-OS 10.2.9-h18", "PAN-OS 10.2.9-h17", "PAN-OS 10.2.9-h16", "PAN-OS 10.2.9-h15", "PAN-OS 10.2.9-h14", "PAN-OS 10.2.9-h13", "PAN-OS 10.2.9-h12", "PAN-OS 10.2.9-h11", "PAN-OS 10.2.9-h10", "PAN-OS 10.2.9-h9", "PAN-OS 10.2.9-h8", "PAN-OS 10.2.9-h7", "PAN-OS 10.2.9-h6", "PAN-OS 10.2.9-h5", "PAN-OS 10.2.9-h4", "PAN-OS 10.2.9-h3", "PAN-OS 10.2.9-h2", "PAN-OS 10.2.9-h1", "PAN-OS 10.2.9", "PAN-OS 10.2.8-h21", "PAN-OS 10.2.8-h20", "PAN-OS 10.2.8-h19", "PAN-OS 10.2.8-h18", "PAN-OS 10.2.8-h17", "PAN-OS 10.2.8-h16", "PAN-OS 10.2.8-h15", "PAN-OS 10.2.8-h14", "PAN-OS 10.2.8-h13", "PAN-OS 10.2.8-h12", "PAN-OS 10.2.8-h11", "PAN-OS 10.2.8-h10", "PAN-OS 10.2.8-h9", "PAN-OS 10.2.8-h8", "PAN-OS 10.2.8-h7", "PAN-OS 10.2.8-h6", "PAN-OS 10.2.8-h5", "PAN-OS 10.2.8-h4", "PAN-OS 10.2.8-h3", "PAN-OS 10.2.8-h2", "PAN-OS 10.2.8-h1", "PAN-OS 10.2.8", "PAN-OS 10.2.7-h32", "PAN-OS 10.2.7-h24", "PAN-OS 10.2.7-h23", "PAN-OS 10.2.7-h22", "PAN-OS 10.2.7-h21", "PAN-OS 10.2.7-h20", "PAN-OS 10.2.7-h19", "PAN-OS 10.2.7-h18", "PAN-OS 10.2.7-h17", "PAN-OS 10.2.7-h16", "PAN-OS 10.2.7-h15", "PAN-OS 10.2.7-h14", "PAN-OS 10.2.7-h13", "PAN-OS 10.2.7-h12", "PAN-OS 10.2.7-h11", "PAN-OS 10.2.7-h10", "PAN-OS 10.2.7-h9", "PAN-OS 10.2.7-h8", "PAN-OS 10.2.7-h7", "PAN-OS 10.2.7-h6", "PAN-OS 10.2.7-h5", "PAN-OS 10.2.7-h4", "PAN-OS 10.2.7-h3", "PAN-OS 10.2.7-h2", "PAN-OS 10.2.7-h1", "PAN-OS 10.2.7", "PAN-OS 10.2.6-h6", "PAN-OS 10.2.6-h5", "PAN-OS 10.2.6-h4", "PAN-OS 10.2.6-h3", "PAN-OS 10.2.6-h2", "PAN-OS 10.2.6-h1", "PAN-OS 10.2.6", "PAN-OS 10.2.5-h9", "PAN-OS 10.2.5-h8", "PAN-OS 10.2.5-h7", "PAN-OS 10.2.5-h6", "PAN-OS 10.2.5-h5", "PAN-OS 10.2.5-h4", "PAN-OS 10.2.5-h3", "PAN-OS 10.2.5-h2", "PAN-OS 10.2.5-h1", "PAN-OS 10.2.5", "PAN-OS 10.2.4-h32", "PAN-OS 10.2.4-h31", "PAN-OS 10.2.4-h30", "PAN-OS 10.2.4-h29", "PAN-OS 10.2.4-h28", "PAN-OS 10.2.4-h27", "PAN-OS 10.2.4-h26", "PAN-OS 10.2.4-h25", "PAN-OS 10.2.4-h24", "PAN-OS 10.2.4-h23", "PAN-OS 10.2.4-h22", "PAN-OS 10.2.4-h21", "PAN-OS 10.2.4-h20", "PAN-OS 10.2.4-h19", "PAN-OS 10.2.4-h18", "PAN-OS 10.2.4-h17", "PAN-OS 10.2.4-h16", "PAN-OS 10.2.4-h15", "PAN-OS 10.2.4-h14", "PAN-OS 10.2.4-h13", "PAN-OS 10.2.4-h12", "PAN-OS 10.2.4-h11", "PAN-OS 10.2.4-h10", "PAN-OS 10.2.4-h9", "PAN-OS 10.2.4-h8", "PAN-OS 10.2.4-h7", "PAN-OS 10.2.4-h6", "PAN-OS 10.2.4-h5", "PAN-OS 10.2.4-h4", "PAN-OS 10.2.4-h3", "PAN-OS 10.2.4-h2", "PAN-OS 10.2.4-h1", "PAN-OS 10.2.4", "PAN-OS 10.2.3-h14", "PAN-OS 10.2.3-h13", "PAN-OS 10.2.3-h12", "PAN-OS 10.2.3-h11", "PAN-OS 10.2.3-h10", "PAN-OS 10.2.3-h9", "PAN-OS 10.2.3-h8", "PAN-OS 10.2.3-h7", "PAN-OS 10.2.3-h6", "PAN-OS 10.2.3-h5", "PAN-OS 10.2.3-h4", "PAN-OS 10.2.3-h3", "PAN-OS 10.2.3-h2", "PAN-OS 10.2.3-h1", "PAN-OS 10.2.3", "PAN-OS 10.2.2-h6", "PAN-OS 10.2.2-h5", "PAN-OS 10.2.2-h4", "PAN-OS 10.2.2-h3", "PAN-OS 10.2.2-h2", "PAN-OS 10.2.2-h1", "PAN-OS 10.2.2", "PAN-OS 10.2.1-h3", "PAN-OS 10.2.1-h2", "PAN-OS 10.2.1-h1", "PAN-OS 10.2.1", "PAN-OS 10.2.0-h4", "PAN-OS 10.2.0-h3", "PAN-OS 10.2.0-h2", "PAN-OS 10.2.0-h1", "PAN-OS 10.2.0", "PAN-OS 10.1.14-h20", "PAN-OS 10.1.14-h19", "PAN-OS 10.1.14-h16", "PAN-OS 10.1.14-h15", "PAN-OS 10.1.14-h14", "PAN-OS 10.1.14-h13", "PAN-OS 10.1.14-h11", "PAN-OS 10.1.14-h10", "PAN-OS 10.1.14-h9", "PAN-OS 10.1.14-h8", "PAN-OS 10.1.14-h7", "PAN-OS 10.1.14-h6", "PAN-OS 10.1.14-h5", "PAN-OS 10.1.14-h4", "PAN-OS 10.1.14-h3", "PAN-OS 10.1.14-h2", "PAN-OS 10.1.14-h1", "PAN-OS 10.1.14", "PAN-OS 10.1.13-h5", "PAN-OS 10.1.13-h4", "PAN-OS 10.1.13-h3", "PAN-OS 10.1.13-h2", "PAN-OS 10.1.13-h1", "PAN-OS 10.1.13", "PAN-OS 10.1.12-h3", "PAN-OS 10.1.12-h2", "PAN-OS 10.1.12-h1", "PAN-OS 10.1.12", "PAN-OS 10.1.11-h10", "PAN-OS 10.1.11-h9", "PAN-OS 10.1.11-h8", "PAN-OS 10.1.11-h7", "PAN-OS 10.1.11-h6", "PAN-OS 10.1.11-h5", "PAN-OS 10.1.11-h4", "PAN-OS 10.1.11-h3", "PAN-OS 10.1.11-h2", "PAN-OS 10.1.11-h1", "PAN-OS 10.1.11", "PAN-OS 10.1.10-h9", "PAN-OS 10.1.10-h8", "PAN-OS 10.1.10-h7", "PAN-OS 10.1.10-h6", "PAN-OS 10.1.10-h5", "PAN-OS 10.1.10-h4", "PAN-OS 10.1.10-h3", "PAN-OS 10.1.10-h2", "PAN-OS 10.1.10-h1", "PAN-OS 10.1.10", "PAN-OS 10.1.9-h14", "PAN-OS 10.1.9-h13", "PAN-OS 10.1.9-h12", "PAN-OS 10.1.9-h11", "PAN-OS 10.1.9-h10", "PAN-OS 10.1.9-h9", "PAN-OS 10.1.9-h8", "PAN-OS 10.1.9-h7", "PAN-OS 10.1.9-h6", "PAN-OS 10.1.9-h5", "PAN-OS 10.1.9-h4", "PAN-OS 10.1.9-h3", "PAN-OS 10.1.9-h2", "PAN-OS 10.1.9-h1", "PAN-OS 10.1.9", "PAN-OS 10.1.8-h8", "PAN-OS 10.1.8-h7", "PAN-OS 10.1.8-h6", "PAN-OS 10.1.8-h5", "PAN-OS 10.1.8-h4", "PAN-OS 10.1.8-h3", "PAN-OS 10.1.8-h2", "PAN-OS 10.1.8-h1", "PAN-OS 10.1.8", "PAN-OS 10.1.7-h1", "PAN-OS 10.1.7", "PAN-OS 10.1.6-h9", "PAN-OS 10.1.6-h8", "PAN-OS 10.1.6-h7", "PAN-OS 10.1.6-h6", "PAN-OS 10.1.6-h5", "PAN-OS 10.1.6-h4", "PAN-OS 10.1.6-h3", "PAN-OS 10.1.6-h2", "PAN-OS 10.1.6-h1", "PAN-OS 10.1.6", "PAN-OS 10.1.5-h4", "PAN-OS 10.1.5-h3", "PAN-OS 10.1.5-h2", "PAN-OS 10.1.5-h1", "PAN-OS 10.1.5", "PAN-OS 10.1.4-h6", "PAN-OS 10.1.4-h5", "PAN-OS 10.1.4-h4", "PAN-OS 10.1.4-h3", "PAN-OS 10.1.4-h2", "PAN-OS 10.1.4-h1", "PAN-OS 10.1.4", "PAN-OS 10.1.3-h4", "PAN-OS 10.1.3-h3", "PAN-OS 10.1.3-h2", "PAN-OS 10.1.3-h1", "PAN-OS 10.1.3", "PAN-OS 10.1.2", "PAN-OS 10.1.1", "PAN-OS 10.1.0"], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:cloud_ngfw:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "all"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.2.7", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.2.4-h9", "versionStartIncluding": "11.2.4"}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.1.10-h1", "versionStartIncluding": "11.1.10"}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.1.6-h14", "versionStartIncluding": "11.1.6"}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.2.16-h1", "versionStartIncluding": "10.2.16"}, {"criteria": "cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "10.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "all"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2026-04-02T23:38:11.074Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0133", "state": "PUBLISHED", "dateUpdated": "2026-04-02T23:38:11.074Z", "dateReserved": "2024-12-20T23:23:33.828Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2025-05-14T18:07:36.381Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect\u2122 gateway and portal features of Palo Alto Networks PAN-OS\u00ae software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft\u2014particularly if you enabled Clientless VPN.\n\nThere is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.\n\n\n\nFor GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN."}, {"lang": "es", "value": "Una vulnerabilidad cross-site scripting (XSS) reflejado en las funciones de portal y puerta de enlace de GlobalProtect\u2122 del software PAN-OS\u00ae de Palo Alto Networks permite la ejecuci\u00f3n de JavaScript malicioso en el navegador de un usuario autenticado de un portal cautivo al hacer clic en un enlace especialmente manipulado. El principal riesgo son los ataques de phishing que pueden provocar el robo de credenciales, especialmente si se ha habilitado la VPN sin cliente. No se ha visto afectada la disponibilidad de las funciones ni los usuarios de GlobalProtect. Los atacantes no pueden usar esta vulnerabilidad para manipular o modificar el contenido o la configuraci\u00f3n del portal o las puertas de enlace de GlobalProtect. El impacto en la integridad de esta vulnerabilidad se limita a permitir que un atacante cree enlaces de phishing y robo de credenciales que parecen estar alojados en el portal de GlobalProtect. Para los usuarios de GlobalProtect con la VPN sin cliente habilitada, el impacto en la confidencialidad es limitado debido a los riesgos inherentes de la VPN sin cliente que facilitan el robo de credenciales. Puede obtener m\u00e1s informaci\u00f3n sobre este riesgo en el bolet\u00edn informativo PAN-SA-2025-0005 (https://security.paloaltonetworks.com/PAN-SA-2025-0005). La confidencialidad de los usuarios de GlobalProtect no se ve afectada si no habilita (o deshabilita) la VPN sin cliente."}], "id": "CVE-2025-0133", "lastModified": "2026-04-03T00:16:03.777", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2025-05-14T19:15:51.517", "references": [{"source": "psirt@paloaltonetworks.com", "url": "https://security.paloaltonetworks.com/CVE-2025-0133"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}

{}

{}