CVSS: 6.5EPSS: 0%CPEs: 23EXPL: 0CVE-2019-0016 – Junos Space: Authenticated user able to delete devices without delete device privileges
https://notcve.org/view.php?id=CVE-2019-0016
A malicious authenticated user may be able to delete a device from the Junos Space database without the necessary privileges through crafted Ajax interactions obtained from another legitimate delete action performed by another administrative user. Affected releases are Juniper Networks Junos Space versions prior to 18.3R1. Un usuario autenticado malicioso podría ser capaz de eliminar un dispositivo de la base de datos de Junos Space sin los privilegios necesarios mediante interacciones Ajax manipuladas obtenidas de otra acción legítima eliminada realizada por otro usuario administrativo. Las distribuciones afectadas son: Junos Space en todas sus versiones anteriores a la 18.3R1. • https://kb.juniper.net/JSA10917 •
CVSS: 8.8EPSS: 0%CPEs: 23EXPL: 0CVE-2019-0017 – Junos Space: Unrestricted file upload vulnerability
https://notcve.org/view.php?id=CVE-2019-0017
The Junos Space application, which allows Device Image files to be uploaded, has insufficient validity checking which may allow uploading of malicious images or scripts, or other content types. Affected releases are Juniper Networks Junos Space versions prior to 18.3R1. La aplicación de Junos Space, que permite que los archivos Device Image se suban, tiene una comprobación de validez insuficiente, lo que podría permitir la subida de imágenes o scripts, así como otros tipos de contenido. Las distribuciones afectadas son: Junos Space en todas sus versiones anteriores a la 18.3R1. • https://kb.juniper.net/JSA10917 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 95EXPL: 0CVE-2019-0015 – Junos OS: SRX Series: Deleted dynamic VPN users are allowed to establish VPN connections until reboot
https://notcve.org/view.php?id=CVE-2019-0015
A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2. • http://www.securityfocus.com/bid/106668 https://kb.juniper.net/JSA10915 • CWE-613: Insufficient Session Expiration •
CVSS: 8.0EPSS: 0%CPEs: 16EXPL: 0CVE-2018-0047 – Junos Space Security Director: XSS vulnerability in web administration
https://notcve.org/view.php?id=CVE-2018-0047
A persistent cross-site scripting vulnerability in the UI framework used by Junos Space Security Director may allow authenticated users to inject persistent and malicious scripts. This may allow stealing of information or performing actions as a different user when other users access the Security Director web interface. This issue affects all versions of Juniper Networks Junos Space Security Director prior to 17.2R2. Una vulnerabilidad Cross-Site Scripting (XSS) persistente en el la interfaz del framework empleado por Junos Space Security Director podría permitir que usuarios autenticados inyecten scripts persistentes y maliciosos. Esto podría permitir el robo de información o la realización de acciones como otro usuario cuando otros acceden a la interfaz web de Security Director. • http://www.securitytracker.com/id/1041863 https://kb.juniper.net/JSA10881 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 83EXPL: 0CVE-2018-0060 – Junos OS: Invalid IP/mask learned from DHCP server might cause device control daemon (dcd) process crash
https://notcve.org/view.php?id=CVE-2018-0060
An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. Junos devices are not vulnerable to this issue when not configured to use DHCP. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D40 on SRX Series; 12.3X48 versions prior to 12.3X48-D20 on SRX Series; 14.1X53 versions prior to 14.1X53-D40 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1X49 versions prior to 15.1X49-D20 on SRX Series; 15.1X53 versions prior to 15.1X53-D68 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D235 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D495 on NFX150, NFX250; 15.1X53 versions prior to 15.1X53-D590 on EX2300/EX3400; 15.1 versions prior to 15.1R7-S2. Una debilidad de validación de entradas incorrecta en el proceso del demonio de control del dispositivo (dcd) de Juniper Networks Junos OS permite que un atacante provoque una denegación de servicio (DoS) en el proceso y las interfaces dcd, así como los clientes conectados, cuando el dispositivo Junos solicita una dirección IP para sí mismo. Los dispositivos Junos no son vulnerables a este problema cuando no están configurados para emplear DHCP. • http://www.securitytracker.com/id/1041858 https://kb.juniper.net/JSA10895 • CWE-20: Improper Input Validation •