Strix
26.1K

CVE-2022-22229

HIGHCVSS 8.4/10EPSS 0.67%

Last modified

CVE-2022-22229 is a high-severity vulnerability rated 8.4/10 on the CVSS scale. An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, a stored XSS (or persistent), in the Control Center Controller web pages of Juniper Networks Paragon Active Assurance (Formerly Netrounds) allows a high-privilege attacker with 'WRITE' permissions to store one or more malicious scripts that will infect any other authorized user's account when they accidentally trigger the malicious script(s) while managing the device. Triggering these attacks enables the attacker to execute commands with the permissions up to that of the superuser account. EPSS estimates a 0.67% chance of exploitation in the next 30 days.

Description

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, a stored XSS (or persistent), in the Control Center Controller web pages of Juniper Networks Paragon Active Assurance (Formerly Netrounds) allows a high-privilege attacker with 'WRITE' permissions to store one or more malicious scripts that will infect any other authorized user's account when they accidentally trigger the malicious script(s) while managing the device. Triggering these attacks enables the attacker to execute commands with the permissions up to that of the superuser account. This issue affects: Juniper Networks Paragon Active Assurance (Formerly Netrounds) All versions prior to 3.1.1; 3.2 versions prior to 3.2.1.

Metrics

CVSS 3.1
8.4/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS Probability
0.67%

47.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
JuniperParagon Active Assurance Control Center< 3.1.1
JuniperParagon Active Assurance Control Center3.2.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-22229?
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, a stored XSS (or persistent), in the Control Center Controller web pages of Juniper Networks Paragon Active Assurance (Formerly Netrounds) allows a high-privilege attacker with 'WRITE' permissions to store one or more malicious scripts that will infect any other authorized user's account when they accidentally trigger the malicious script(s) while managing the device. Triggering these attacks enables the attacker to execute commands with the permissions up to that of the superuser account. This issue affects: Juniper Networks Paragon Active Assurance (Formerly Netrounds) All versions prior to 3.1.1; 3.2 versions prior to 3.2.1.
How severe is CVE-2022-22229?
CVE-2022-22229 has a CVSS score of 8.4/10 (HIGH severity). The EPSS model estimates a 0.67% probability of exploitation in the next 30 days.
How do I fix CVE-2022-22229?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-22229?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST