Details of VAR-201309-0472

ID

VAR-201309-0472

CVE

CVE-2013-5649

TITLE

IVE OS Equipped with Juniper Junos Pulse Secure Access Service Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2013-004160

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.1 before 7.1r15, 7.2 before 7.2r11, 7.3 before 7.3r6, and 7.4 before 7.4r3 allow (1) remote attackers to inject arbitrary web script or HTML via vectors involving login pages, and allow (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a support page. Junos Pulse Secure Access Service is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Versions prior to Junos Pulse Secure Access Service 7.4r3, 7.3r6, 7.2r11, or 7.1r15 are vulnerable. Juniper Networks Junos Pulse Secure Access Service (SSL VPN) is a simple, intuitive client from Juniper Networks. The client supports remote and mobile users to access enterprise resources with various web devices. The following versions are affected: 7.1 prior to 7.1r15, 7.2 prior to 7.2r11, 7.3 prior to 7.3r6, 7.4 prior to 7.4r3

Trust: 1.98

sources: NVD: CVE-2013-5649 // JVNDB: JVNDB-2013-004160 // BID: 62353 // VULHUB: VHN-65651

AFFECTED PRODUCTS

vendor:	juniper	model:	ive os	scope:	eq	version:	7.4	Trust: 1.6
vendor:	juniper	model:	ive os	scope:	eq	version:	7.3	Trust: 1.6
vendor:	juniper	model:	ive os	scope:	eq	version:	7.1	Trust: 1.6
vendor:	juniper	model:	ive os	scope:	eq	version:	7.2	Trust: 1.6
vendor:	juniper	model:	ive os	scope:	lt	version:	7.2	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	lt	version:	7.3	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	lt	version:	7.4	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	eq	version:	7.1r15	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	eq	version:	7.3r6	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	eq	version:	7.2r11	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	eq	version:	7.4r3	Trust: 0.8
vendor:	juniper	model:	ive os	scope:	lt	version:	7.1	Trust: 0.8

sources: JVNDB: JVNDB-2013-004160 // CNNVD: CNNVD-201309-196 // NVD: CVE-2013-5649

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5649
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5649
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201309-196
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65651
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5649
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-65651
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65651 // JVNDB: JVNDB-2013-004160 // CNNVD: CNNVD-201309-196 // NVD: CVE-2013-5649

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-65651 // JVNDB: JVNDB-2013-004160 // NVD: CVE-2013-5649

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201309-196

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201309-196

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004160

PATCH

title:

SA10589

url:

http://kb.juniper.net/JSA10589

Trust: 0.8

sources: JVNDB: JVNDB-2013-004160

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5649	Trust: 2.8
db:	JUNIPER	id:	JSA10589	Trust: 1.7
db:	OSVDB	id:	97240	Trust: 1.1
db:	JVNDB	id:	JVNDB-2013-004160	Trust: 0.8
db:	CNNVD	id:	CNNVD-201309-196	Trust: 0.7
db:	BID	id:	62353	Trust: 0.4
db:	VULHUB	id:	VHN-65651	Trust: 0.1

sources: VULHUB: VHN-65651 // BID: 62353 // JVNDB: JVNDB-2013-004160 // CNNVD: CNNVD-201309-196 // NVD: CVE-2013-5649

REFERENCES

url:	http://kb.juniper.net/jsa10589	Trust: 1.7
url:	http://osvdb.org/97240	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5649	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5649	Trust: 0.8
url:	http://www.juniper.net	Trust: 0.3

sources: VULHUB: VHN-65651 // BID: 62353 // JVNDB: JVNDB-2013-004160 // CNNVD: CNNVD-201309-196 // NVD: CVE-2013-5649

CREDITS

Sandro Gauci, EnableSecurity

Trust: 0.3

sources: BID: 62353

SOURCES

db:	VULHUB	id:	VHN-65651
db:	BID	id:	62353
db:	JVNDB	id:	JVNDB-2013-004160
db:	CNNVD	id:	CNNVD-201309-196
db:	NVD	id:	CVE-2013-5649

LAST UPDATE DATE

2024-11-23T22:08:29.424000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65651	date:	2013-09-18T00:00:00
db:	BID	id:	62353	date:	2013-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2013-004160	date:	2013-09-18T00:00:00
db:	CNNVD	id:	CNNVD-201309-196	date:	2013-09-16T00:00:00
db:	NVD	id:	CVE-2013-5649	date:	2024-11-21T01:57:52.807

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65651	date:	2013-09-13T00:00:00
db:	BID	id:	62353	date:	2013-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2013-004160	date:	2013-09-18T00:00:00
db:	CNNVD	id:	CNNVD-201309-196	date:	2013-09-16T00:00:00
db:	NVD	id:	CVE-2013-5649	date:	2013-09-13T14:10:27.580