Knowledge Center Search


 

2013-09 Security Bulletin: Junos Pulse Secure Access Service (IVE): Multiple cross site scripting issues

  [JSA10589] Show KB Properties

  [JSA10589] Hide KB Properties

Categories:
Security Advisories ID: JSA10589
Last Updated: 12 Sep 2013
Version: 5.0

Product Affected:
SA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611

Problem:
Multiple cross site scripting issues have been found in the Juniper Networks SSL VPN product. The issues are the result of incorrect validation of user input sent to the SSL VPN web server. These issues exist within files that pertains to login pages, as well as a support related page that is only accessible by an authenticated session.

Note: The specific cross site scripting issues contained in this advisory do not affect UAC OS.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

Solution:
The issues are fixed in SA (IVE OS) releases 7.4r3, 7.3r6, 7.2r11, 7.1r15, and all subsequent releases.


KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:
There are no viable workarounds for these issues. The affected pages are needed for normal operation and cannot be disabled.

Implementation:
 

Related Links:

CVSS Score:
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Risk Level:
Medium

Risk Assessment:
Successful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.

Acknowledgements:
 Juniper Networks would like to thank Sandro Gauci of EnableSecurity for responsibly reporting one of the issues included in this advisory.

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.