Advisory Information

  • Title: Juniper Mobility System Software (MSS™) web portal WebAAA cross-site scripting (XSS)
  • Advisory ID: SWRX-2012-004
  • Date published: Thursday, June 14, 2012
  • CVE: CVE-2012-1038
  • CVSS v2 base score: 5.0
  • Date of last update: Thursday, August 22, 2013
  • Vendors contacted: Juniper Networks, Inc.
  • Release mode: Coordinated
  • Discovered by: Craig Lambert, Dell SecureWorks


The Juniper Networks Mobility System Software is part of Juniper's Wireless LAN Services (WLS) software product set and is the operating system component of the Mobility System. According to the Mobility System Software configuration guide, the Mobility System Software runs all WLC switches and WLAs in a WLAN. This advisory focuses on the Juniper Mobility System Software web portal WebAAA, which "provides a simple and universal way to authenticate any user or device using a web browser. A common application of WebAAA is to control access for guests on your network."

A vulnerability exists in the WebAAA login function for versions prior to 7.6.3 and 7.7.1 due to insufficient input validation of arbitrary URL parameters. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.

Download the PDF

PGP Signature (PC Users: You may need to right click your mouse and select "Save As")

SecureWorks CTU Public Key