发布时间 :2006-07-12 21:05:00
修订时间 :2017-07-19 21:32:24

[原文]Cross-site scripting (XSS) vulnerability in the web administration interface logging feature in Juniper Networks (Redline) DX 5.1.x, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the username login field.

[CNNVD] Juniper Networks DX系统日志 跨站脚本漏洞(CNNVD-200607-176)

        Juniper Networks DX系统日志存在跨站脚本漏洞,成功利用这个漏洞的攻击者可能获得对Juniper DX设备的管理访问。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20060710 Juniper Networks DX Web Administration Persistent System Log XSS Vulnerability
(UNKNOWN)  BID  18926
(UNKNOWN)  VUPEN  ADV-2006-2741
(UNKNOWN)  XF  juniper-networks-logging-xss(27645)

- 漏洞信息

Juniper Networks DX系统日志 跨站脚本漏洞
中危 跨站脚本
2006-07-12 00:00:00 2006-07-19 00:00:00
        Juniper Networks DX系统日志存在跨站脚本漏洞,成功利用这个漏洞的攻击者可能获得对Juniper DX设备的管理访问。

- 公告与补丁


- 漏洞信息

Juniper Networks DX System Web Admin Log Script XSS
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

The Web Admin Log Script of Juniper's DX Application Acceleration Platform contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input submitted to the 'username' field upon submission to the login function. Values are stored unchecked in the application's log files. This could allow a user to create a specially crafted log file entry that would execute arbitrary code in a administrator's browser within the trust relationship between the browser and the server when looking at the log files, leading to a loss of integrity.

- 时间线

2006-07-10 Unknow
Unknow Unknow

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 5.0.41, 5.1.7, 5.2.0, 5.3.0, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者