Juniper Junos J-Web Multiple Vulnerabilities (JSA10682)

Critical Nessus Plugin ID 85224


The remote device is missing a vendor-supplied security patch.


According to its self-reported version number, the remote Juniper Junos device is affected by multiple vulnerabilities in the J-Web component :

- A cross-site scripting vulnerability exists due to a failure to validate input before returning it to users.
A remote attacker, using a crafted request, can exploit this to gain access to session credentials or execute administrative actions through the user's browser.

- A denial of service vulnerability exists in error handling that allows an attacker to crash the J-Web service.

Note that these issues only affects devices with J-Web enabled.


Apply the relevant Junos software release or workaround referenced in Juniper advisory JSA10682.

See Also

Plugin Details

Severity: Critical

ID: 85224

File Name: juniper_jsa10682.nasl

Version: 1.9

Type: combined

Published: 2015/08/04

Modified: 2017/05/16

Dependencies: 55932

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:juniper:junos

Required KB Items: Host/Juniper/JUNOS/Version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/07/08

Vulnerability Publication Date: 2015/07/08

Reference Information

CVE: CVE-2014-6447

BID: 75717

OSVDB: 124291, 124292

JSA: JSA10682