We received this vulnerability in the report by our vendor for our PA
"According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by a cross site scripting vulnerability"
and solution for this its saying "Upgrade to JQuery version 3.5.0 or later."
and PA TAC suggested that below,
"Currently there is no scheduled release date for the JQuery 3.5.X library within PAN-OS however it is is presently going through QA and being evaluated for future release. Please note PAN-OS uses a small subset of the JQuery function and so it is not impacted by the cross-site scripting vulnerability in said JQuery version. In addition engineering released signature coverage for CVE-2020-11022 and CVE-2020-11023 in Content update 8281 with Threat ID 57176 which detects HTTP Cross Site Scripting Vulnerability. Please apply it to traffic including GlobalProtect if you are using it."
So that time it was under QA testing and there were no ETA provided so please advise for any permanent solution provided for this vulnerability.
I mean, a permanent solution would be waiting until PAN releases a software release which migrates to an updated version of the JQuery library. I would take to heart what TAC is telling you though; if they are telling you that PAN-OS isn't subject to the XSS vulnerabilities because they aren't using the effected component of the JQuery library, that was passed to TAC from engineering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!