Juniper Mobility System Software (MSS) web portal WebAAA cross-site scripting (XSS)

Advisory Information
Title: Juniper Mobility System Software (MSSTM) web portal WebAAA cross-site scripting (XSS)
Advisory ID: SWRX-2012-004
Advisory URL:
Date published: Thursday, June 14, 2012
CVE: CVE-2012-1038
CVSS v2 base score: 5.0
Date of last update: Thursday, August 22, 2013
Vendors contacted: Juniper Networks, Inc.
Release mode: Coordinated
Discovered by: Craig Lambert, Dell SecureWorks


The Juniper Networks Mobility System Software is part of Juniper's Wireless LAN Services (WLS) software product set and is the operating system component of the Mobility System. According to the Mobility System Software configuration guide, the Mobility System Software runs all WLC switches and WLAs in a WLAN. This advisory focuses on the Juniper Mobility System Software web portal WebAAA, which "provides a simple and universal way to authenticate any user or device using a web browser. A common application of WebAAA is to control access for guests on your network."

A vulnerability exists in the WebAAA login function for versions prior to 7.6.3 and 7.7.1 due to insufficient input validation of arbitrary URL parameters. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.

Download the PDF
PGP Signature (PC Users: You may need to right click your mouse and select "Save As")
SecureWorks CTU Public Key

Next Steps

Contact Us Call Us Today
(877) 838-7947
UK +44 131 260 3044


Online Tools

  • Print this Page
  • Share This Resource

By completing this form you'll be opting in to receiving future communications about products and services from Dell SecureWorks.