## https://sploitus.com/exploit?id=D0EEFAF2-2055-5FEC-8DB2-90AA68374CFF
# PAN-OS Stored XSS โ Incomplete Sanitization of a Known-Bad Variable
A stored Cross-Site Scripting vulnerability exists in the PAN-OS management
interface, reproducible on the latest version available in our lab (**12.1.4** at the time of writing).
An authenticated administrator can inject JavaScript via the 'secure-proxy-user' variable,
reachable through the UI at Device, Setup, Services. Once set, the payload persists in
device configuration and executes in the browser of any administrator who
visits the affected page.

## Root Cause
This variable seems to have been previously identified as security-sensitive during the
remediation of [CVE-2025-4615](https://security.paloaltonetworks.com/CVE-2025-4615).
Versions patched for that CVE seem to strip newline characters from this field, but
do not mitigate the broader XSS vector. The underlying injection path remains intact.
Applying context-appropriate output encoding (e.g., HTML entity encoding) when
rendering this field, or enforcing a strict allowlist on accepted input characters,
would prevent exploitation.
## Impact
- **Stored XSS** in the management interface, survives reboots
- Executes in the session of any authenticated administrator viewing the page
- 31-character payload limit
- Requires authenticated admin access (not pre-auth)
- Enables session hijacking, credential theft, or use as a step in broader
attack chains
Not critical in isolation given the authentication requirement. However,
PAN-OS has a documented history of authentication bypass vulnerabilities
(e.g., [CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012)), which may reduce the practical barrier to exploitation.
## Affected Versions
- **Confirmed:** PAN-OS 12.1.4
- Earlier versions likely affected โ version coverage testing was not
performed as part of this research
---
## Proof of Concept
```
```
### Steps to Reproduce
1. Authenticate to the PAN-OS management interface as an administrator
2. Navigate to Device, Setup, Services
3. Paste the payload above into the Proxy User field, save
4. Have a second administrator access the page
5. Observe JavaScript execution
---
## Disclosure Timeline
- **October 13, 2025** โ Vulnerability reported to Palo Alto Networks
- **October 19, 2025** โ Follow-up sent
- **October 20, 2025** โ PANW acknowledged receipt
- **November 14, 2025** โ 90-day disclosure reminder sent
- **February 15, 2026** โ Public disclosure
This disclosure follows a standard 90-day responsible disclosure timeline.
No relevant communication was received from the vendor after initial
acknowledgment.
---
## References
- [CVE-2025-4615 โ Palo Alto Networks Security Advisory](https://security.paloaltonetworks.com/CVE-2025-4615)
- [Palo Alto Networks Security Advisories](https://security.paloaltonetworks.com/)
*All testing was conducted on authorized systems.*