Reset Search
 

 

Article

JSA10646 - 2014-09 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Cross site scripting issue (CVE-2014-3824)

« Go Back

Information

 
Product AffectedSA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS: 8.0, 7.4, and 7.1.
Problem
A cross site scripting issue has been found in the Pulse Connect Secure product. The problem is a result of incorrect user input validation on the SSL VPN web server. The issue exists within a web page that is only accessible by an authenticated user session.

Pulse Secure PSIRT is not aware of any malicious exploitation of this vulnerability.

No other Pulse Secure products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3824.
 
Solution
The issue is fixed in SA/MAG/PCS (IVE OS) releases: 8.0r6, 7.4r13, and 7.1r20, and all subsequent releases.
Workaround
There is no workaround for this issue. An upgrade to a fixed version of software is required.
Implementation
Related Links
CVSS Score6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Risk AssessmentSuccessful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.
Acknowledgements
Pulse Secure PSIRT would like to thank an anonymous contributor from VeriSign iDefense Labs for bringing this issue to our attention.
Alert TypeSA - Security Advisory
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDJSA10646

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255