CVE-2020-1607
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 17.2R2 | affected |
| Juniper Networks | Junos OS | 12.3 < 12.3R12-S15 | affected |
| Juniper Networks | Junos OS | 15.1F6 < 15.1F6-S13 | affected |
| Juniper Networks | Junos OS | 15.1 < 15.1R7-S5 | affected |
| Juniper Networks | Junos OS | 16.1 < 16.1R4-S13, 16.1R7-S5 | affected |
| Juniper Networks | Junos OS | 16.2 < 16.2R2-S10 | affected |
| Juniper Networks | Junos OS | 17.1 < 17.1R2-S11, 17.1R3-S1 | affected |
| Juniper Networks | Junos OS | 17.2 < 17.2R1-S9, 17.2R3-S2 | affected |
| Juniper Networks | Junos OS | 17.3 < 17.3R2-S5, 17.3R3-S5 | affected |
| Juniper Networks | Junos OS | 17.4 < 17.4R2-S6, 17.4R3 | affected |
| Juniper Networks | Junos OS | 18.1 < 18.1R3-S7 | affected |
| Juniper Networks | Junos OS | 18.2 < 18.2R2-S5, 18.2R3 | affected |
| Juniper Networks | Junos OS | 18.3 < 18.3R1-S6, 18.3R2-S1, 18.3R3 | affected |
| Juniper Networks | Junos OS | 18.4 < 18.4R1-S5, 18.4R2 | affected |
| Juniper Networks | Junos OS | 19.1 < 19.1R1-S2, 19.1R2 | affected |
| Juniper Networks | Junos OS | 12.3X48 < 12.3X48-D86, 12.3X48-D90 | affected |
| Juniper Networks | Junos OS | 15.1X49 < 15.1X49-D181, 15.1X49-D190 | affected |
| Juniper Networks | Junos OS | 14.1X53 < 14.1X53-D51 | affected |
| Juniper Networks | Junos OS | 15.1X53 < 15.1X53-D238 | affected |
| Juniper Networks | Junos OS | 15.1X53 < 15.1X53-D592 | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting (XSS)
Workarounds
Access the J-Web service from trusted hosts which may not be compromised by cross-site scripting attacks, for example, deploying jump hosts with no internet access. Alternatively, disable J-Web.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.