Juniper Junos J-Web cross site scripting

entryeditHistoryDiffjsonxmlCTI

A vulnerability has been found in Juniper Junos (Router Operating System) (affected version unknown) and classified as problematic. Affected by this vulnerability is some unknown processing of the component J-Web. Upgrading eliminates this vulnerability.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1063994611/20/2020VulD...cve_cnaJuniper Networks, Inc.nvd.nist.gov11/20/2020accepted70
1063994511/20/2020VulD...cvss2_nvd_aiCnvd.nist.gov11/20/2020accepted70
1063994411/20/2020VulD...cvss2_nvd_iiCnvd.nist.gov11/20/2020accepted70
1063994311/20/2020VulD...cvss2_nvd_ciCnvd.nist.gov11/20/2020accepted70
1063994211/20/2020VulD...cvss2_nvd_auNnvd.nist.gov11/20/2020accepted70
1063994111/20/2020VulD...cvss2_nvd_acHnvd.nist.gov11/20/2020accepted70
1063994011/20/2020VulD...cvss2_nvd_avNnvd.nist.gov11/20/2020accepted70
1063993911/20/2020VulD...confirm_urlhttps://kb.juniper.net/JSA11070cve.mitre.org11/20/2020accepted70
1063993811/20/2020VulD...cve_nvd_summaryInsufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to hijack the target user's HTTP/HTTPS session and perform administrative actions on the Junos device as the targeted user. This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled such as J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP). Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf In order to successfully exploit this vulnerability, the attacker needs to convince the device administrator to take action such as clicking the crafted URL sent via phishing email or convince the administrator to input data in the browser console. This issue affects Juniper Networks Junos OS: 18.1 versions prior to 18.1R3-S1; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R2-S5, 18.4R3-S2; 19.1 versions prior to 19.1R2-S2, 19.1R3-S1; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S2, 20.1R2. This issue does not affect Juniper Networks Junos OS prior to 18.1R1.cve.mitre.org11/20/2020accepted70
1063993711/20/2020VulD...cve_assigned1572822000cve.mitre.org11/20/2020accepted70
1063994711/19/2020VulD...cvss2_nvd_basescore7.6nist.gov11/19/2020accepted90
1052838410/17/2020VulD...price_0day$5k-$25ksee documentation10/17/2020accepted90
1052838310/17/2020VulD...cvss3_meta_tempscore4.1see documentation10/17/2020accepted90
1052838210/17/2020VulD...cvss3_meta_basescore4.3see documentation10/17/2020accepted90
1052838110/17/2020VulD...cvss3_vuldb_tempscore4.110/17/2020accepted90
1052838010/17/2020VulD...cvss3_vuldb_basescore4.310/17/2020accepted90
1052837910/17/2020VulD...cvss2_vuldb_tempscore4.410/17/2020accepted90
1052837810/17/2020VulD...cvss2_vuldb_basescore5.010/17/2020accepted90
1052837710/17/2020VulD...cvss3_vuldb_eXderived from historical data10/17/2020accepted80
1052837610/17/2020VulD...cvss2_vuldb_rcNDderived from historical data10/17/2020accepted80

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!