TTCSIRT-021.071717: TT-CSIRT Advisory – Juniper Security Updates
A security researcher testing a Juniper NetScreen Firewall + VPN found multiple stored cross-site scripting vulnerabilities that could be used to elevate privileges through the NetScreen WebUI. A user with the ‘security’ role can inject HTML/JavaScript content into the management session of other users including the administrator. This enables the lower-privileged user to effectively execute commands with the permissions of an administrator.
In order to fix this vulnerability, ScreenOS has been updated to add checks to prevent scripts in WebUI strings.
| Further information on this security update can be found on the Juniper Website at https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&cat=SIRT_1&actp=LIST |