CVE-2013-5649

Multiple cross-site scripting (XSS) vulnerabilities in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.1 before 7.1r15, 7.2 before 7.2r11, 7.3 before 7.3r6, and 7.4 before 7.4r3 allow (1) remote attackers to inject arbitrary web script or HTML via vectors involving login pages, and allow (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a support page.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://kb.juniper.net/JSA10589	Vendor Advisory
http://osvdb.org/97240

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:juniper:ive_os:7.1:::::::*
	cpe:2.3:o:juniper:ive_os:7.2:::::::*
	cpe:2.3:o:juniper:ive_os:7.3:::::::*
	cpe:2.3:o:juniper:ive_os:7.4:::::::*

History

No history.

Information

Published : 2013-09-13 14:10

Updated : 2024-02-04 18:16

NVD link : CVE-2013-5649

Mitre link : CVE-2013-5649

CVE.ORG link : CVE-2013-5649

JSON object : View

Products Affected

juniper

ive_os

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2013-5649", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-09-13T14:10:27.580", "references": [{"url": "http://kb.juniper.net/JSA10589", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://osvdb.org/97240", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.1 before 7.1r15, 7.2 before 7.2r11, 7.3 before 7.3r6, and 7.4 before 7.4r3 allow (1) remote attackers to inject arbitrary web script or HTML via vectors involving login pages, and allow (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a support page."}, {"lang": "es", "value": "Multiples vulnerabilidades cross-site scripting (XSS) en el Secure Access Service (SSL VPN) de Juniper Junos Pulse con IVE OS 7.1 (anteriores a 7.1r15), 7.2 (anteriores a 7.2r11), 7.3 (anteriores 7.3r6) y 7.4 (anteriores a 7.4r3) permite (1) a atacantes remotos inyectar script web o HTML a discrecci\u00f3n a trav\u00e9s de vectores que involucran p\u00e1ginas de login, y permite (2) a usuarios remotos autentificados inyectar script web o HTML a trav\u00e9s de vectores que involucran p\u00e1ginas de soporte."}], "lastModified": "2013-09-18T03:30:15.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:juniper:ive_os:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4313025-3FC4-42DB-B18E-57EC5C566B74"}, {"criteria": "cpe:2.3:o:juniper:ive_os:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "754A5F1C-E181-4D36-86A7-5124C22EBF40"}, {"criteria": "cpe:2.3:o:juniper:ive_os:7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8ECD0F7E-715A-4C52-ACF1-EE7A7042B991"}, {"criteria": "cpe:2.3:o:juniper:ive_os:7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7F2DEC8-F096-4519-B194-2D1B0FFB8D0D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}