Share
## https://sploitus.com/exploit?id=D0EEFAF2-2055-5FEC-8DB2-90AA68374CFF
# PAN-OS Stored XSS โ€” Incomplete Sanitization of a Known-Bad Variable

A stored Cross-Site Scripting vulnerability exists in the PAN-OS management
interface, reproducible on the latest version available in our lab (**12.1.4** at the time of writing).

An authenticated administrator can inject JavaScript via the 'secure-proxy-user' variable,
reachable through the UI at Device, Setup, Services. Once set, the payload persists in
device configuration and executes in the browser of any administrator who
visits the affected page.

![Stored XSS executing in PAN-OS management interface](alert1.png)

## Root Cause

This variable seems to have been previously identified as security-sensitive during the
remediation of [CVE-2025-4615](https://security.paloaltonetworks.com/CVE-2025-4615).
Versions patched for that CVE seem to strip newline characters from this field, but
do not mitigate the broader XSS vector. The underlying injection path remains intact.

Applying context-appropriate output encoding (e.g., HTML entity encoding) when
rendering this field, or enforcing a strict allowlist on accepted input characters,
would prevent exploitation.

## Impact

- **Stored XSS** in the management interface, survives reboots
- Executes in the session of any authenticated administrator viewing the page
- 31-character payload limit
- Requires authenticated admin access (not pre-auth)
- Enables session hijacking, credential theft, or use as a step in broader
  attack chains

Not critical in isolation given the authentication requirement. However,
PAN-OS has a documented history of authentication bypass vulnerabilities
(e.g., [CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012)), which may reduce the practical barrier to exploitation.

## Affected Versions

- **Confirmed:** PAN-OS 12.1.4
- Earlier versions likely affected โ€” version coverage testing was not
  performed as part of this research

---

## Proof of Concept

```

```

### Steps to Reproduce

1. Authenticate to the PAN-OS management interface as an administrator
2. Navigate to Device, Setup, Services
3. Paste the payload above into the Proxy User field, save
4. Have a second administrator access the page
5. Observe JavaScript execution

---

## Disclosure Timeline

- **October 13, 2025** โ€” Vulnerability reported to Palo Alto Networks
- **October 19, 2025** โ€” Follow-up sent
- **October 20, 2025** โ€” PANW acknowledged receipt
- **November 14, 2025** โ€” 90-day disclosure reminder sent
- **February 15, 2026** โ€” Public disclosure

This disclosure follows a standard 90-day responsible disclosure timeline.
No relevant communication was received from the vendor after initial
acknowledgment.

---

## References

- [CVE-2025-4615 โ€” Palo Alto Networks Security Advisory](https://security.paloaltonetworks.com/CVE-2025-4615)
- [Palo Alto Networks Security Advisories](https://security.paloaltonetworks.com/)

*All testing was conducted on authorized systems.*