PaloAlto Captive Portal XSS Attack

PaloAlto has issued a patch for a XSS attack on the captive portal that I disclosed a few months back. The official advisory can be found here:
(Detail taken from

The attack has been given a CVSS score of 6.1:

(Screenshot taken from IBM X-Force:

Below follows the original report submitted to PaloAlto along with sample exploit code:

Version: PANOS 7.0.5

Summary: XSS issue in HTML used for the user login portal. An attacker can run arbitrary javascript by manipulating the username field. See attached screenshot

Steps to Reproduce:

  1. Setup plain vanilla, standard HTTP captive portal, using the web form option
  2. A user will be presented with the default captive portal.
  3. As a username, enter something like (including all quotes):

“;alert (‘i can steal your cookies’);var test=”

  1. Alert is shown (see screenshot below)



Privacy Settings