CVE-2024-21620Cross-site Scripting in Networks Junos OS

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
CNA8.8VulnCheck8.8
EPSS
0.4%
top 41.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedJan 25
Latest updateJan 26

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5juniper_networks/junos_os21.221.2R3-S8+8
NVDjuniper/junos< 20.4+9

🔴Vulnerability Details

3
GHSA
GHSA-mph2-x4gq-qj7g: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Ser2024-01-26
CVEList
Junos OS: SRX Series and EX Series: J-Web doesn't sufficiently sanitize input to prevent XSS2024-01-25
VulnCheck
Juniper Junos OS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2024

📋Vendor Advisories

1
Juniper
CVE-2024-21620: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Ser2024-01-25
CVE-2024-21620 — Cross-site Scripting | cvebase