CVE-2015-2223

Vulnerability

Palo Alto Networks Traps (formerly Cyvera Endpoint Protection) 3.2.1 and earlier, specifically versions 3.1.x below 3.1.5.3691 and 3.2.x below 3.2.1.3559, contain multiple cross-site scripting (XSS) vulnerabilities in the web-based console management interface [1]. An attacker can inject arbitrary web script or HTML through the Arguments, FileName, or URL parameters in a SOAP request [1]. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Exploitation

An attacker must send a crafted SOAP request containing malicious script in the Arguments, FileName, or URL parameters to the Traps ESM console [1]. This requires network access to the console and user interaction: an authenticated administrator must be tricked into visiting a page that renders the injected payload [1]. The attack complexity is high, and no privileges are required to send the request, but the target must be logged into the management interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the authenticated administrator's browser session [1]. This can lead to low confidentiality impact (e.g., theft of session cookies or sensitive information displayed in the console) and low integrity impact (e.g., modification of UI content or actions performed on behalf of the admin) [1]. The scope is unchanged, meaning the attack affects only the vulnerable component [1].

Mitigation

Palo Alto Networks released fixes for this issue in Traps ESM Console versions 3.1.5.3691 and 3.2.1.3559 [1]. The solution is to upgrade to one of these patched versions or later [1]. No workarounds are documented in the available reference. The CVE was published in April 2015, and the advisory was updated in February 2016 [1].