CVE-2009-3486 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Juniper	Junos

Configuration 1 [-]

cpe:2.3:o:juniper:junos:8.5:r1.14:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/36829
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09
http://www.securityfocus.com/bid/36537
http://www.vupen.com/english/advisories/2009/2784

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-30T15:00:00Z

Updated: 2024-09-17T00:42:29.228Z

Reserved: 2009-09-30T00:00:00Z

Link: CVE-2009-3486

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2009-09-30T15:30:00.500

Modified: 2009-10-05T04:00:00.000

Link: CVE-2009-3486

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-09-30T15:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09"}, {"name": "ADV-2009-2784", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2784"}, {"name": "36537", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36537"}, {"name": "36829", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36829"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3486", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09", "refsource": "MISC", "url": "http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09"}, {"name": "ADV-2009-2784", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2784"}, {"name": "36537", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36537"}, {"name": "36829", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36829"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:31:10.343Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09"}, {"name": "ADV-2009-2784", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/2784"}, {"name": "36537", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36537"}, {"name": "36829", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/36829"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3486", "datePublished": "2009-09-30T15:00:00Z", "dateReserved": "2009-09-30T00:00:00Z", "dateUpdated": "2024-09-17T00:42:29.228Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:juniper:junos:8.5:r1.14:*:*:*:*:*:*", "matchCriteriaId": "4D5C18F9-DAA8-4F1A-8A5E-9A544C607624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en (XSS) la interface J-Web en Juniper JUNOS v8.5R1.14 permite a usuarios autenticados remotamente ejecutar c\u00f3digo web y HTML de su elecci\u00f3n a trav\u00e9s del par\u00e1metro host en (1) el programa pinghost, accesible a trav\u00e9s del programa diagnose; o (2) el programa traceroute, accesible a trav\u00e9s del programa diagnose; o (3)el par\u00e1metro probe-limit en el programa configuration; los (4) par\u00e1metros wizard-ids o (5)par\u00e1metro pager-new-identifier en una acci\u00f3n firewall-filters en el programa configuration (6) par\u00e1metro the cos-physical-interface-name en una acci\u00f3n cos-physical-interfaces-edit en el programa configuration; los par\u00e1metros (7) wizard-args o (8) wizard-ids en una acci\u00f3n snmp en el programa configuration; los par\u00e1metros(9) username o (10) fullname en una acci\u00f3n users en el programa configuration; o los par\u00e1metros (11) certname o (12) certbody en una acci\u00f3n local-cert (como https) en el programa configuration."}], "id": "CVE-2009-3486", "lastModified": "2009-10-05T04:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-09-30T15:30:00.500", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36829"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/36537"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2784"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}