Juniper Junos J-Web Multiple Vulnerabilities (JSA10682)
Critical Nessus Plugin ID 85224
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by multiple vulnerabilities in the J-Web component :
- A cross-site scripting vulnerability exists due to a failure to validate input before returning it to users.
A remote attacker, using a crafted request, can exploit this to gain access to session credentials or execute administrative actions through the user's browser.
- A denial of service vulnerability exists in error handling that allows an attacker to crash the J-Web service.
Note that these issues only affects devices with J-Web enabled.
SolutionApply the relevant Junos software release or workaround referenced in Juniper advisory JSA10682.