Advisory

Juniper Mobility System Software (MSS) Web Portal WebAAA Cross-Site Scripting (XSS)

Advisory Information

  • Title: Juniper Mobility System Software (MSS™) web portal WebAAA cross-site scripting (XSS)
  • Advisory ID: SWRX-2012-004
  • Date published: Thursday, June 14, 2012
  • CVE: CVE-2012-1038
  • CVSS v2 base score: 5.0
  • Date of last update: Thursday, August 22, 2013
  • Vendors contacted: Juniper Networks, Inc.
  • Release mode: Coordinated
  • Discovered by: Craig Lambert, Dell SecureWorks

Summary

The Juniper Networks Mobility System Software is part of Juniper's Wireless LAN Services (WLS) software product set and is the operating system component of the Mobility System. According to the Mobility System Software configuration guide, the Mobility System Software runs all WLC switches and WLAs in a WLAN. This advisory focuses on the Juniper Mobility System Software web portal WebAAA, which "provides a simple and universal way to authenticate any user or device using a web browser. A common application of WebAAA is to control access for guests on your network."

A vulnerability exists in the WebAAA login function for versions prior to 7.6.3 and 7.7.1 due to insufficient input validation of arbitrary URL parameters. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.

Download the PDF

PGP Signature (PC Users: You may need to right click your mouse and select "Save As")

SecureWorks CTU Public Key



ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.