Web PAN-OS - Reflected Cross-Site Scripting CVE-2025-0133

[pianoxltd]

Description​

A Cross-Site Scripting (XSS) vulnerability was discovered in the GlobalProtect VPN portal's getconfig.esp endpoint. The vulnerability exists because the application reflects user input from the user parameter in an XML response without proper sanitization.

The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the GlobalProtect VPN portal. This could lead to theft of user credentials, session tokens, or other sensitive information processed by the VPN portal. The attack requires no special privileges and can be triggered by any user who can access the getconfig.esp endpoint.

https://site.com/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer

 

[barnaul]

useless thing

 

[pianoxltd]

useless thing

https://hackerone.com/reports/3096384

This vulnerability is particularly concerning because it affects a VPN portal, which is a critical security component that typically handles sensitive authentication and access control functions. The ability to execute arbitrary JavaScript in this context could lead to credential theft, session hijacking, or other attacks against VPN users.

 

[barnaul]

do you understand that you must have a user database from this access, their contacts or something else, so that you send them a link, they must follow it, so that you steal their session? Looks fucking awesome. Congratulations

 

[pianoxltd]

CVSSv4: 6.9
You are right
The primary risk involves potential phishing attacks that could lead to credential theft, especially for users with Clientless VPN enabled