It seems Palo Alto already accepted the vulnerability and provided remediation. Cisco was challenging the finding.
I'm in the camp of if you think this attack is a going to be a problem, then you have bigger problems you need to resolve first. Like an actor having persistent access to the endpoint and has the ability to dump your memory and search for cookies and tokens.
They could install a keylogger and just use valid credentials.
Doesn't mean the issue shouldn't be addressed, I think the vendors in this respect correctly triaged the issue and will fix it later down the line.