Sign-up

ID

VAR-201403-0328


CVE

CVE-2014-2291


TITLE

IVE OS of Juniper Junos Pulse Secure Access Service Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-001702

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Pulse Collaboration (Secure Meeting) user pages in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r18, 7.3 before 7.3r10, 7.4 before 7.4r8, and 8.0 before 8.0r1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Juniper Networks' Secure Access is an enterprise-class SSL VPN access device running on Juniper IVE OS. Because the input to the relevant Pulse Collaboration (Secure Meeting) user page lacks filtering before returning to the user, the remote attacker is allowed to exploit the vulnerability to construct a malicious URI, entice the user to resolve, obtain sensitive cookies, hijack the session, or perform malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The client supports remote and mobile users to access enterprise resources with various web devices. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 2.52

sources: NVD: CVE-2014-2291 // JVNDB: JVNDB-2014-001702 // CNVD: CNVD-2014-01737 // BID: 66173 // VULHUB: VHN-70230

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01737

AFFECTED PRODUCTS

vendor:junipermodel:ive osscope:eqversion:8.0

Trust: 1.9

vendor:junipermodel:ive osscope:eqversion:7.4

Trust: 1.9

vendor:junipermodel:ive osscope:eqversion:7.3

Trust: 1.9

vendor:junipermodel:ive osscope:eqversion:7.1

Trust: 1.9

vendor:junipermodel:ive osscope:eqversion:7.3r10

Trust: 0.8

vendor:junipermodel:ive osscope:eqversion:7.4r8

Trust: 0.8

vendor:junipermodel:ive osscope:ltversion:7.3

Trust: 0.8

vendor:junipermodel:ive osscope:eqversion:8.0r1

Trust: 0.8

vendor:junipermodel:ive osscope:ltversion:7.4

Trust: 0.8

vendor:junipermodel:ive osscope:ltversion:8.0

Trust: 0.8

vendor:junipermodel:networks ive os softwarescope:eqversion:7.x

Trust: 0.6

vendor:junipermodel:networks ive os softwarescope:eqversion:8.x

Trust: 0.6

vendor:junipermodel:sa700scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa6500scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa6000scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa4500scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa4000scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa2500scope:eqversion:0

Trust: 0.3

vendor:junipermodel:sa2000scope:eqversion:0

Trust: 0.3

vendor:junipermodel:mag6611scope:eqversion:0

Trust: 0.3

vendor:junipermodel:mag6610scope:eqversion:0

Trust: 0.3

vendor:junipermodel:mag4610scope:eqversion:0

Trust: 0.3

vendor:junipermodel:mag2600scope:eqversion:0

Trust: 0.3

vendor:junipermodel:fips sa6500scope:eqversion:0

Trust: 0.3

vendor:junipermodel:fips sa6000scope:eqversion:0

Trust: 0.3

vendor:junipermodel:fips sa4500scope:eqversion:0

Trust: 0.3

vendor:junipermodel:fips sa4000scope:eqversion:0

Trust: 0.3

vendor:junipermodel:ive os 8.0r1scope:neversion: -

Trust: 0.3

vendor:junipermodel:ive os 7.4r8scope:neversion: -

Trust: 0.3

vendor:junipermodel:ive os 7.3r10scope:neversion: -

Trust: 0.3

vendor:junipermodel:ive os 7.1r18scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2014-01737 // BID: 66173 // JVNDB: JVNDB-2014-001702 // CNNVD: CNNVD-201403-288 // NVD: CVE-2014-2291

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2291
value: LOW

Trust: 1.0

NVD: CVE-2014-2291
value: LOW

Trust: 0.8

CNVD: CNVD-2014-01737
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201403-288
value: LOW

Trust: 0.6

VULHUB: VHN-70230
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-2291
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01737
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-70230
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-01737 // VULHUB: VHN-70230 // JVNDB: JVNDB-2014-001702 // CNNVD: CNNVD-201403-288 // NVD: CVE-2014-2291

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70230 // JVNDB: JVNDB-2014-001702 // NVD: CVE-2014-2291

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-288

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201403-288

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001702

PATCH
title:JSA10617url:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10617
Trust: 0.8
title:Juniper Junos Pulse Secure Access SSL VPN Cross-Site Scripting Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/44311
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01737 // 
            
            
            
            JVNDB: JVNDB-2014-001702

EXTERNAL IDS
db:NVDid:CVE-2014-2291
Trust: 3.4
db:JUNIPERid:JSA10617
Trust: 2.6
db:SECUNIAid:57375
Trust: 1.7
db:BIDid:66173
Trust: 1.0
db:JVNDBid:JVNDB-2014-001702
Trust: 0.8
db:CNNVDid:CNNVD-201403-288
Trust: 0.7
db:CNVDid:CNVD-2014-01737
Trust: 0.6
db:VULHUBid:VHN-70230
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-01737 // 
            
            
            
            VULHUB: VHN-70230 // 
            
            
            
            BID: 66173 // 
            
            
            
            JVNDB: JVNDB-2014-001702 // 
            
            
            
            CNNVD: CNNVD-201403-288 // 
            
            
            
            NVD: CVE-2014-2291

REFERENCES
url:https://kb.juniper.net/infocenter/index?page=content&id=jsa10617
Trust: 2.5
url:http://secunia.com/advisories/57375
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/91770
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2291
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2291
Trust: 0.8
url:http://www.juniper.net/
Trust: 0.3
url:https://kb.juniper.net/infocenter/index?page=content&id=jsa10617
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-01737 // 
            
            
            
            VULHUB: VHN-70230 // 
            
            
            
            BID: 66173 // 
            
            
            
            JVNDB: JVNDB-2014-001702 // 
            
            
            
            CNNVD: CNNVD-201403-288 // 
            
            
            
            NVD: CVE-2014-2291

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 66173

SOURCES
db:CNVDid:CNVD-2014-01737
db:VULHUBid:VHN-70230
db:BIDid:66173
db:JVNDBid:JVNDB-2014-001702
db:CNNVDid:CNNVD-201403-288
db:NVDid:CVE-2014-2291

LAST UPDATE DATE
2024-11-23T22:08:21.989000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-01737date:2014-03-17T00:00:00
db:VULHUBid:VHN-70230date:2017-08-29T00:00:00
db:BIDid:66173date:2014-03-12T00:00:00
db:JVNDBid:JVNDB-2014-001702date:2014-03-18T00:00:00
db:CNNVDid:CNNVD-201403-288date:2014-03-18T00:00:00
db:NVDid:CVE-2014-2291date:2024-11-21T02:06:00.980

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-01737date:2014-03-17T00:00:00
db:VULHUBid:VHN-70230date:2014-03-14T00:00:00
db:BIDid:66173date:2014-03-12T00:00:00
db:JVNDBid:JVNDB-2014-001702date:2014-03-18T00:00:00
db:CNNVDid:CNNVD-201403-288date:2014-03-18T00:00:00
db:NVDid:CVE-2014-2291date:2014-03-14T15:55:05.697