CVE-2024-39565 – Junos OS: J-Web: An unauthenticated, network-based attacker can perform XPATH injection attack against a device.

https://notcve.org/view.php?id=CVE-2024-39565

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.  While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS:  * All versions before 21.2R3-S8,  * from 21.4 before 21.4R3-S7, * from 22.2 before 22.2R3-S4, * from 22.3 before 22.3R3-S3, * from 22.4 before 22.4R3-S2, * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S1, 23.4R2. Una vulnerabilidad de neutralización inadecuada de datos dentro de expresiones XPath ('inyección XPath') en J-Web incluido con Juniper Networks Junos OS permite que un atacante basado en red no autenticado ejecute comandos remotos en el dispositivo objetivo. Mientras un administrador inicia sesión en una sesión de J-Web o ha iniciado sesión previamente y posteriormente ha cerrado sesión en su sesión de J-Web, el atacante puede ejecutar comandos arbitrariamente en el dispositivo de destino con las credenciales del otro usuario. En el peor de los casos, el atacante tendrá control total sobre el dispositivo. • https://support.juniper.net/support/downloads/?p=283 https://supportportal.juniper.net/JSA83023 https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') •