CVE-2024-21620

HIGH
Published Jan 25, 2024 Modified Nov 21, 2024 CWE-79

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-79 Cross-site Scripting (XSS)

Affected Products

Vendor Product
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper junos
juniper ex_redundant_power_system
juniper ex_rps
juniper ex2200
juniper ex2200-c
juniper ex2200-vc
juniper ex2300
juniper ex2300-24mp
juniper ex2300-24p
juniper ex2300-24t
juniper ex2300-48mp
juniper ex2300-48p
juniper ex2300-48t
juniper ex2300-c
juniper ex2300_multigigabit
juniper ex2300m
juniper ex3200
juniper ex3300
juniper ex3300-vc
juniper ex3400
juniper ex4100
juniper ex4100-f
juniper ex4100_multigigabit
juniper ex4200
juniper ex4200-vc
juniper ex4300
juniper ex4300-24p
juniper ex4300-24p-s
juniper ex4300-24t
juniper ex4300-24t-s
juniper ex4300-32f
juniper ex4300-32f-dc
juniper ex4300-32f-s
juniper ex4300-48mp
juniper ex4300-48mp-s
juniper ex4300-48p
juniper ex4300-48p-s
juniper ex4300-48t
juniper ex4300-48t-afi
juniper ex4300-48t-dc
juniper ex4300-48t-dc-afi
juniper ex4300-48t-s
juniper ex4300-48tafi
juniper ex4300-48tdc
juniper ex4300-48tdc-afi
juniper ex4300-mp
juniper ex4300-vc
juniper ex4300_multigigabit
juniper ex4300m
juniper ex4400
juniper ex4400-24x
juniper ex4400_multigigabit
juniper ex4500
juniper ex4500-vc
juniper ex4550
juniper ex4550-vc
juniper ex4550\/vc
juniper ex4600
juniper ex4600-vc
juniper ex4650
juniper ex6200
juniper ex6210
juniper ex8200
juniper ex8200-vc
juniper ex8208
juniper ex8216
juniper ex9200
juniper ex9204
juniper ex9208
juniper ex9214
juniper ex9250
juniper ex9251
juniper ex9253
juniper srx100
juniper srx110
juniper srx1400
juniper srx1500
juniper srx1600
juniper srx210
juniper srx220
juniper srx2300
juniper srx240
juniper srx240h2
juniper srx240m
juniper srx300
juniper srx320
juniper srx340
juniper srx3400
juniper srx345
juniper srx3600
juniper srx380
juniper srx4000
juniper srx4100
juniper srx4200
juniper srx4300
juniper srx4600
juniper srx4700
juniper srx5000
juniper srx5400
juniper srx550
juniper srx550_hm
juniper srx550m
juniper srx5600
juniper srx5800
juniper srx650

References

Frequently Asked Questions

What is CVE-2024-21620? +
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2. It has a CVSS v3.1 base score of 8.8 (HIGH).
How severe is CVE-2024-21620? +
CVE-2024-21620 has a CVSS v3.1 score of 8.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2024-21620? +
CVE-2024-21620 affects products from juniper, specifically: ex2200, ex2200-c, ex2200-vc, ex2300, ex2300-24mp, ex2300-24p, ex2300-24t, ex2300-48mp, ex2300-48p, ex2300-48t, ex2300-c, ex2300_multigigabit, ex2300m, ex3200, ex3300, ex3300-vc, ex3400, ex4100, ex4100-f, ex4100_multigigabit, ex4200, ex4200-vc, ex4300, ex4300-24p, ex4300-24p-s, ex4300-24t, ex4300-24t-s, ex4300-32f, ex4300-32f-dc, ex4300-32f-s, ex4300-48mp, ex4300-48mp-s, ex4300-48p, ex4300-48p-s, ex4300-48t, ex4300-48t-afi, ex4300-48t-dc, ex4300-48t-dc-afi, ex4300-48t-s, ex4300-48tafi, ex4300-48tdc, ex4300-48tdc-afi, ex4300-mp, ex4300-vc, ex4300_multigigabit, ex4300m, ex4400, ex4400-24x, ex4400_multigigabit, ex4500, ex4500-vc, ex4550, ex4550-vc, ex4550\/vc, ex4600, ex4600-vc, ex4650, ex6200, ex6210, ex8200, ex8200-vc, ex8208, ex8216, ex9200, ex9204, ex9208, ex9214, ex9250, ex9251, ex9253, ex_redundant_power_system, ex_rps, junos, srx100, srx110, srx1400, srx1500, srx1600, srx210, srx220, srx2300, srx240, srx240h2, srx240m, srx300, srx320, srx340, srx3400, srx345, srx3600, srx380, srx4000, srx4100, srx4200, srx4300, srx4600, srx4700, srx5000, srx5400, srx550, srx550_hm, srx550m, srx5600, srx5800, srx650. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-21620? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-21620 — free, no signup required.

Start Free Scan