CVE-2009-3486
published 2009-09-30CVE-2009-3486: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web…
PriorityP414low3.5CVSS 2.0
AVNACMAuSCNIPAN
EXPLOIT
EPSS
1.25%
65.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | j-web | — | — |
| juniper | junos | — | — |
| juniper | junos_os | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vph7-v96r-wc7m: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8
ghsa_unreviewed·2022-05-02
CVE-2009-3486 [LOW] CWE-79 GHSA-vph7-v96r-wc7m: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8
Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the con
Juniper
CVE-2009-3486: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitr
vendor_juniper·2009-09-30·CVSS 3.5
CVE-2009-3486 [LOW] CWE-79 CVE-2009-3486: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitr
CVE-2009-3486: Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users ac
No detection rules found.
Exploit-DB
Juniper Junos 8.5/9.0 J-Web Interface - '/configuration' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-09-22
CVE-2009-3486 Juniper Junos 8.5/9.0 J-Web Interface - '/configuration' Multiple Cross-Site Scripting Vulnerabilities
Juniper Junos 8.5/9.0 J-Web Interface - '/configuration' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/36537/info
Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management).
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects the following:
J-Web 8.5R1.14
J-Web 9.0R1.1
Program URI :- http://www.example.com/configuration?m[]=wizards&m[]=rpm
POST
current-page=main&wizard-next=&wizard-
Exploit-DB
Juniper Junos 8.5/9.0 J-Web Interface - '/diagnose' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-09-22
CVE-2009-3486 Juniper Junos 8.5/9.0 J-Web Interface - '/diagnose' Multiple Cross-Site Scripting Vulnerabilities
Juniper Junos 8.5/9.0 J-Web Interface - '/diagnose' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/36537/info
Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management).
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects the following:
J-Web 8.5R1.14
J-Web 9.0R1.1
Program URI :- http://www.example.com/diagnose?m[]=pinghost
Vulnerable Parameter :- Remote Host
Program URI :- http://
No writeups or analysis indexed.
http://secunia.com/advisories/36829http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09http://www.securityfocus.com/bid/36537http://www.vupen.com/english/advisories/2009/2784http://secunia.com/advisories/36829http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09http://www.securityfocus.com/bid/36537http://www.vupen.com/english/advisories/2009/2784
2009-09-30
Published