CVE-2025-60009

Severity CVSS v4.0:

MEDIUM

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

09/10/2025

Last modified:

23/01/2026

Description

An Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the CLI Configlet page that, when visited by another user, enables the attacker to execute commands with the target&#39;s permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R4.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 5.10 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): Active
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): None

Base Score 4.0

5.10

Severity 4.0

MEDIUM

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.10 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

6.10

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:juniper:junos_space::::::::		24.1 (excluding)
cpe:2.3:a:juniper:junos_space:24.1:r1::::::
cpe:2.3:a:juniper:junos_space:24.1:r2::::::
cpe:2.3:a:juniper:junos_space:24.1:r3::::::

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://supportportal.juniper.net/JSA103140