cbcvebase.
CVE-2024-21620
published 2024-01-25

CVE-2024-21620: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and…

medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2.

Affected

23 ranges
VendorProductVersion rangeFixed in
juniperex_series
juniperj-web
juniperjunos< 20.420.4
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos_os
junipersrx_series
juniper_networksjunos_os< 20.4R3-S1020.4R3-S10
juniper_networksjunos_os>= 21.2 < 21.2R3-S821.2R3-S8
juniper_networksjunos_os>= 21.4 < 21.4R3-S621.4R3-S6
juniper_networksjunos_os>= 22.1 < 22.1R3-S522.1R3-S5
juniper_networksjunos_os>= 22.2 < 22.2R3-S322.2R3-S3
juniper_networksjunos_os>= 22.3 < 22.3R3-S222.3R3-S2
juniper_networksjunos_os>= 22.4 < 22.4R3-S122.4R3-S1
juniper_networksjunos_os>= 23.2 < 23.2R223.2R2
juniper_networksjunos_os>= 23.4 < 23.4R223.4R2

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.8HIGH