CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22229 – Paragon Active Assurance (Formerly Netrounds): Stored Cross-site Scripting (XSS) vulnerability in web administration
https://notcve.org/view.php?id=CVE-2022-22229
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, a stored XSS (or persistent), in the Control Center Controller web pages of Juniper Networks Paragon Active Assurance (Formerly Netrounds) allows a high-privilege attacker with 'WRITE' permissions to store one or more malicious scripts that will infect any other authorized user's account when they accidentally trigger the malicious script(s) while managing the device. Triggering these attacks enables the attacker to execute commands with the permissions up to that of the superuser account. This issue affects: Juniper Networks Paragon Active Assurance (Formerly Netrounds) All versions prior to 3.1.1; 3.2 versions prior to 3.2.1. Una vulnerabilidad de Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting"), un ataque de tipo XSS almacenado (o persistente), en las páginas web del Control Center Controller de Juniper Networks Paragon Active Assurance (anteriormente Netrounds) permite a un atacante de alto privilegio con permisos "WRITE" almacenar uno o más scripts maliciosos que infectarán la cuenta de cualquier otro usuario autorizado cuando accidentalmente desencadene el o los scripts maliciosos mientras administra el dispositivo. El desencadenamiento de estos ataques permite al atacante ejecutar comandos con los permisos hasta los de la cuenta de super usuario. • https://kb.juniper.net/JSA69883 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-0232 – Paragon Active Assurance: Authentication bypass vulnerability in Control Center
https://notcve.org/view.php?id=CVE-2021-0232
An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2. Una vulnerabilidad de omisión de autenticación en Juniper Networks Paragon Active Assurance Control Center, puede permitir a un atacante con información específica sobre la implementación imitar a un Agente de Prueba ya registrado y acceder a su configuración, incluidos los detalles del inventario asociado. Si ocurre el problema, el Agente de Prueba afectado no será capaz de conectarse al Control Center. • https://kb.juniper.net/JSA11127 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI • CWE-284: Improper Access Control CWE-290: Authentication Bypass by Spoofing •