CVE-2025-59978

Severity CVSS v4.0:

CRITICAL

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

09/10/2025

Last modified:

23/01/2026

Description

An Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly in web pages that, when viewed by another user, enable the attacker to execute commands with the target&#39;s administrative permissions.<br /> This issue affects all versions of Junos Space before 24.1R4.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:U/RE:M CVSS v4.0 Severity and Metrics:

Base Score: 9.40 CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:U/RE:M

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Recovery (R): User
Vulnerability Response Effort (RE): Moderate

Base Score 4.0

9.40

Severity 4.0

CRITICAL

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 9.00 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

9.00

Severity 3.x

CRITICAL

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:juniper:junos_space::::::::		24.1 (excluding)
cpe:2.3:a:juniper:junos_space:24.1:r1::::::
cpe:2.3:a:juniper:junos_space:24.1:r2::::::
cpe:2.3:a:juniper:junos_space:24.1:r3::::::

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://supportportal.juniper.net/JSA103140