Juniper Secure Access Series meeting_testjava.cgi: XSS Vulnerability

Users of Juniper Secure Access Series meeting_testjava.cgi please be advised of a XSS (cross-site scripting) vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

ZDI-10-231: [ZDI-10-231] Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability
— Affected Products:
Juniper Secure Access Series
— Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Juniper SA Series devices. Authentication is
not required to exploit this vulnerability.

The specific flaw exists within the meeting_testjava.cgi page which is
used to test JVM compatibility. When handling the DSID HTTP header the
code allows an attacker to inject arbitrary javascript into the page.
This can be abused by an attacker to perform a cross-site scripting
attack on the device.Read more at http://www.criticalwatch.com

 

Advertisements