Vulnerability CVE-2009-3487

Vulnerability Name:

CVE-2009-3487 (CCN-53502)

Assigned:

2009-09-22

Published:

2009-09-22

Updated:

2009-10-02

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via (1) the JEXEC_OUTID parameter in a JEXEC_MODE_RELAY_OUTPUT action to the jexec program; the (2) act, (3) refresh-time, or (4) ifid parameter to scripter.php; (5) the revision parameter in a rollback action to the configuration program; the m[] parameter to the (6) monitor, (7) manage, (8) events, (9) configuration, or (10) alarms program; (11) the m[] parameter to the default URI; (12) the m[] parameter in a browse action to the default URI; (13) the wizard-next parameter in an https action to the configuration program; or the (14) Contact Information, (15) System Description, (16) Local Engine ID, (17) System Location, or (18) System Name Override SNMP parameter, related to the configuration program.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.3 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2009-3487

Source: CCN
Type: SA36829
Juniper JUNOS JWeb Multiple Vulnerabilities

Source: SECUNIA
Type: Exploit, Vendor Advisory
36829

Source: CCN
Type: Juniper Networks Web site
Juniper Networks JUNOS

Source: CCN
Type: OSVDB ID: 58514
Juniper Junos J-Web Interface /script.php Multiple Parameter XSS

Source: CCN
Type: OSVDB ID: 58515
Juniper Junos J-Web Interface Multiple Script m[] Parameter XSS

Source: CCN
Type: PR09-09
Juniper JunOS JWeb (Juniper Web Management) authenticated XSS

Source: MISC
Type: Exploit
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10

Source: BID
Type: Exploit
36537

Source: CCN
Type: BID-36537
Juniper Networks JUNOS J-Web Multiple Cross Site Scripting And HTML Injection Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2009-2784

Source: XF
Type: UNKNOWN
junos-multiple-xss(53502)

Vulnerable Configuration:

Configuration 1:

cpe:/o:juniper:junos:8.5:r1.14:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:juniper:junos:8.5:r1.14:*:*:*:*:*:*

Denotes that component is vulnerable

BACK