// For flags

CVE-2017-2339

ScreenOS: XSS vulnerability in ScreenOS Firewall

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A persistent cross site scripting vulnerability in NetScreen WebUI of Juniper Networks Juniper NetScreen Firewall+VPN running ScreenOS allows a user with the 'security' role to inject HTML/JavaScript content into the management session of other users including the administrator. This enables the lower-privileged user to effectively execute commands with the permissions of an administrator. This issue affects Juniper Networks ScreenOS 6.3.0 releases prior to 6.3.0r24 on SSG Series. No other Juniper Networks products or platforms are affected by this issue.

Una vulnerabilidad de tipo cross-site-scripting (XSS) persistente en la WebUI de NetScreen de Juniper Networks Juniper NetScreen Firewall+VPN ejecutándose en ScreenOS, permite a un usuario con el rol “security” inyectar contenido HTML/JavaScript en la sesión de administración de otros usuarios, incluyendo el administrador. Esto permite al usuario con pocos privilegios ejecutar comandos de manera eficaz con los permisos de un administrador. Este problema afecta a Juniper Networks ScreenOS versión 6.3.0 anteriores a 6.3.0r24 en la serie SSG. Ningún otro producto o plataforma de Juniper Networks está afectada por este problema.

*Credits: Gaku Mochizuki/Toshitsugu Yoneyama from Mitsui Bussan Secure Directions, Inc., for reporting this issue to the JPCERT/CC., Craig Young, Principal Security Researcher, Tripwire VERT, for responsibly reporting this vulnerability.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-01 CVE Reserved
  • 2017-07-14 CVE Published
  • 2023-05-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
-
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r1
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r10
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r11
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r12
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r13
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r14
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r15
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r16
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r17
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r18
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r19
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r2
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r21
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r22
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r23
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r23b
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r3
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r4
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r5
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r6
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r7
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r8
Affected
Juniper
Search vendor "Juniper"
Screenos
Search vendor "Juniper" for product "Screenos"
6.3.0
Search vendor "Juniper" for product "Screenos" and version "6.3.0"
r9
Affected