-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0078
             Cross-Site Scripting in Expedition Migration Tool
                               13 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Palo Alto Expedition
Operating System:     Virtualisation
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-1571 CVE-2019-1570 CVE-2019-1569
Member content until: Friday, April 12 2019

OVERVIEW

        Palo Alto Networks has addressed a stored cross-site scripting (XSS)
        vulnerability in the Expedition Migration Tool for versions 1.1.8 and 
        earlier. [1]


IMPACT

        The vendor provided the following detail on the vulnerability:
        
        "Three cross-site scripting (XSS) vulnerabilities exist in the Palo Alto
        Networks Migration Tool ("Expedition"). (Ref # MT-926/ CVE-2019-1569; MT-927/
        CVE-2019-1570; MT-928, MT-929/ CVE-2019-1571)
        
        Severity: Low
        
        CVE-2019-1569: Successful exploitation of this issue may allow an authenticated
        attacker to inject arbitrary JavaScript or HTML in the User Mapping settings.
        CVE-2019-1570: Successful exploitation of this issue may allow an authenticated
        attacker to inject arbitrary JavaScript or HTML in the LDAP server settings.
        CVE-2019-1571: Successful exploitation of this issue may allow an authenticated
        attacker to inject arbitrary JavaScript or HTML in the RADIUS server settings."
        [1]


MITIGATION

        The vendor advises updating to the Palo Alto Networks Migration Tool 
        ("Expedition") 1.1.9 or later to address this issue. [1]


REFERENCES

        [1] Cross-Site Scripting in Expedition Migration Tool
            https://securityadvisories.paloaltonetworks.com/Home/Detail/142

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIh+WmaOgq3Tt24GAQig/g//WePFn5Vvj4xt+GZRXJQ/DEYtL4MzkwIh
olQId35IpLxPXxZ28RPo0WKKl90IS0ZQhNyqBoq7zev3SPoTeyY/T5abxGgEJHQt
s/bvDPN5TlYXBmVscoSx95th95VEE4zs6/q6AZOJSdcI4qRWCMAgacUpnF+EJZ6G
yjNlryxb0KjGXCbTaBv++LJywwptdwNx9me08sjqMtYRr3cAfzKtoxLjmugAS2B6
REPnhpsCo9yxlnQEIjg+PqjafffE2D2kHvz6Jd9/MeVAlQkPZeD+vUMMf0ytImyi
BYkiKkkbacS0LJRBjOXHE/pxLWAM7Oe+wNF+sk+AYz2pArf7p+Nc04TfnM2CAKyn
nVJ3z7u/0au0DTEOnQdslan8Abz6Aq3PvUULp79WO5bkiyXDQY41+IvaTTkHu1tN
m7xjMz2s6nWIsINagj1cZVxrBdwJDlHw+FjNMfpuOznV/Izyc8yGalz2H+AyqFhB
VJ4QzVwFkiahFvDDNPjjk7eEJUn18aoZH0buMedCTgvyi5VTdyGDD2glYyFW7Skd
avOPhysyq9cDzhfXWyD/a1dUDtQisZwVMokMD7YlXlRvSHjpvhhlRRgtHFlVxWBU
LOpAS0lVpGBBcvpZnomxPfkTmVoHVo3NlIksBPeXnsTx2fqrC6KQzJt4ZLObNtzg
cuLzZupoW8U=
=giAA
-----END PGP SIGNATURE-----