CVE-2014-6447

11.02.2020, 17:15

Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS). This affects Juniper Junos OS 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, 14.2 before 14.2R1, and 15.1 before 15.1R1.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 63%

Vendor	Product	Version
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x44:x44
juniper	junos	12.1x46:x46
juniper	junos	12.1x46:x46
juniper	junos	12.1x46:x46
juniper	junos	12.1x46:x46
juniper	junos	12.1x46:x46
juniper	junos	12.1x47:x47
juniper	junos	12.1x47:x47
juniper	junos	12.1x47:x47
juniper	junos	12.3
juniper	junos	12.3:r1
juniper	junos	12.3:r2
juniper	junos	12.3:r3
juniper	junos	12.3:r4
juniper	junos	12.3:r5
juniper	junos	12.3:r6
juniper	junos	12.3:r7
juniper	junos	12.3x48:x48
juniper	junos	13.1
juniper	junos	13.1:r1
juniper	junos	13.1:r2
juniper	junos	13.1:r3
juniper	junos	13.1:r4
juniper	junos	13.1:r4-s2
juniper	junos	13.2
juniper	junos	13.2:r1
juniper	junos	13.2:r2
juniper	junos	13.2:r3
juniper	junos	13.2:r4
juniper	junos	13.2:r5
juniper	junos	13.3
juniper	junos	13.3:r1
juniper	junos	13.3:r10
juniper	junos	13.3:r2
juniper	junos	13.3:r2-s2
juniper	junos	13.3:r3
juniper	junos	14.1
juniper	junos	14.1:r1
juniper	junos	14.1:r2
juniper	junos	14.1x53:x53
juniper	junos	14.2
juniper	junos	15.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10682

http://www.securitytracker.com/id/1032846

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10682

http://www.securitytracker.com/id/1032846