CVE-2009-3486

Juniper Junos - XSS

Title source: rule
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Amir Azam · textremotehardware
https://www.exploit-db.com/exploits/33258
exploitdb WORKING POC VERIFIED
by Amir Azam · textremotehardware
https://www.exploit-db.com/exploits/33259

References (4)

Core 4
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2784
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36537
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36829

Scores

EPSS 0.0039
EPSS Percentile 60.0%

Details

CWE
CWE-79
Status published
Products (1)
juniper/junos 8.5 r1.14
Published Sep 30, 2009
Tracked Since Feb 18, 2026