bugtraq - Juniper Secure Access XSS Vulnerability

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CA+PFrLkb6-12_6ZMRJJ8jyyj0H9_qFPeYO_xbnKAma=XL6KWig@mail.gmail.com>
Date: Mon, 22 Jul 2013 19:30:29 +0200
From: Anil Pazvant <pazwant@...il.com>
To: bugtraq@...urityfocus.com
Subject: Juniper Secure Access XSS Vulnerability

-------------------------------------------------------------------------------


| Juniper Secure Access XSS Vulnerability|


--------------------------------------------------------------------------------


Summary
===============

Juniper Secure Access software has reflected XSS vulnerability

CVE number: CVE-2012-5460
PSN-2013-03-874
Impact: Low

Vendor homepage:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2013-03-874&viewMode=view

Vendor notified: 06/06/2012

Vendor fixed: 12/12/2012

Affected Products
=================
Juniper SA (IVE OS) to versions prior to  7.1r13, 7.2r7, 7.3r2 .


Details
==================
In order to exploit this vulnerability , the client should
authenticate to SSLVPN service.The vulnerable parameter exists on help
page of IVE user web interface.

Effected parameter: WWHSearchWordsText

Impact
==================
Execution of arbitrary script code in a user's browser during an
authenticated session.


Solution
==================
Upgrade to 7.1r13, 7.2r7, 7.3r2, or higher.

Twitter @pazwant