Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
|
Juniper
Subscribe
|
Ex2300
Subscribe
Ex2300-c
Subscribe
Ex3400
Subscribe
Ex4300
Subscribe
Ex4600
Subscribe
Ex4650
Subscribe
Ex9200
Subscribe
Ex9250
Subscribe
Junos
Subscribe
Qfx10002
Subscribe
Qfx10008
Subscribe
Qfx10016
Subscribe
Qfx3000-g
Subscribe
Qfx3000-m
Subscribe
Qfx3008-i
Subscribe
Qfx3100
Subscribe
Qfx3500
Subscribe
Qfx3600
Subscribe
Qfx3600-i
Subscribe
Qfx5100
Subscribe
Qfx5110
Subscribe
Qfx5200
Subscribe
Qfx5210
Subscribe
Srx100
Subscribe
Srx110
Subscribe
Srx1400
Subscribe
Srx1500
Subscribe
Srx210
Subscribe
Srx220
Subscribe
Srx240
Subscribe
Srx300
Subscribe
Srx320
Subscribe
Srx340
Subscribe
Srx3400
Subscribe
Srx345
Subscribe
Srx3600
Subscribe
Srx4100
Subscribe
Srx4200
Subscribe
Srx4600
Subscribe
Srx5400
Subscribe
Srx550
Subscribe
Srx5600
Subscribe
Srx5800
Subscribe
Srx650
Subscribe
|
Configuration 1 [-]
|
Configuration 2 [-]
| AND |
|
Configuration 3 [-]
| AND |
|
Configuration 4 [-]
| AND |
|
Configuration 5 [-]
| AND |
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2020-12477 | Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2. |
Fixes
Solution
The following software releases have been updated to resolve this specific issue: 12.3R12-S15, 12.3X48-D86, 12.3X48-D90, 14.1X53-D51, 15.1F6-S13,15.1R7-S5, 15.1X49-D181, 15.1X49-D190, 15.1X53-D238, 15.1X53-D592, 16.1R4-S13, 16.1R7-S5, 16.2R2-S10,17.1R2-S11, 17.1R3-S1, 17.2R1-S9, 17.2R3-S2, 17.3R2-S5, 17.3R3-S5, 17.4R2-S6, 17.4R3, 18.1R3-S7,18.2R2-S5, 18.2R3, 18.3R1-S6, 18.3R2-S1, 18.3R3, 18.4R1-S5, 18.4R2, 19.1R1-S2, 19.1R2, 19.2R1, and all subsequent releases.
Workaround
Access the J-Web service from trusted hosts which may not be compromised by cross-site scripting attacks, for example, deploying jump hosts with no internet access. Alternatively, disable J-Web.
References
| Link | Providers |
|---|---|
| https://kb.juniper.net/JSA10986 |
|
History
No history.
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: juniper
Published:
Updated: 2024-09-16T20:51:46.197Z
Reserved: 2019-11-04T00:00:00
Link: CVE-2020-1607
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-01-15T09:15:12.560
Modified: 2024-11-21T05:10:57.287
Link: CVE-2020-1607
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses