CVE-2024-5906 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in Palo Alto Networks Prisma Cloud Compute, specifically version 32. The flaw arises from improper neutralization of input during web page generation, allowing a malicious administrator with add/edit permissions on identity providers to store arbitrary JavaScript code via the web interface. This stored XSS payload executes when another user accesses the affected interface, causing the victim's browser to run the injected script in their security context. This can lead to unauthorized actions performed on behalf of the victim user, such as session hijacking or manipulation of the web interface. The vulnerability requires the attacker to have high-level privileges (administrator with specific permissions) and the victim to interact with the interface, limiting the attack scope. The CVSS 4.0 score is 4.8 (medium), reflecting network attack vector, low complexity, no authentication required for the victim, but requiring high privileges for the attacker and user interaction. No known public exploits exist yet, and no patches have been linked at the time of publication. This vulnerability highlights the importance of input validation and output encoding in web applications, especially in administrative interfaces managing identity providers.

The primary impact of CVE-2024-5906 is on the confidentiality and integrity of user sessions within Prisma Cloud Compute environments. A malicious administrator can inject scripts that execute in other users' browsers, potentially allowing session hijacking, unauthorized actions, or data exposure within the web interface. While availability is not directly affected, the trustworthiness of the administrative interface is compromised. Organizations relying on Prisma Cloud Compute for container security and cloud workload protection could face internal threats from privileged insiders exploiting this vulnerability. The requirement for high privileges limits external exploitation but raises concerns about insider threat and privilege misuse. If exploited, it could lead to unauthorized changes in security configurations or identity provider settings, impacting overall cloud security posture.

Organizations should immediately audit and restrict administrative permissions, ensuring only trusted personnel have add/edit rights for identity providers. Implement strict role-based access controls (RBAC) and monitor administrative activities for suspicious behavior. Until a patch is released, avoid using the affected functionality or limit access to the Prisma Cloud Compute web interface via network segmentation and VPNs. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injections. Educate administrators about the risks of privilege misuse and enforce multi-factor authentication (MFA) to reduce risk of compromised credentials. Once Palo Alto Networks releases a patch, apply it promptly. Additionally, conduct regular security assessments and penetration testing focused on administrative interfaces to detect similar vulnerabilities proactively.