Details of VAR-200311-0103

ID

VAR-200311-0103

TITLE

FortiGate Firewall Web Interface Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2003-3349

DESCRIPTION

The FortiGate Firewall is a hardware firewall solution. The WEB interface included in the FortiGate firewall does not adequately filter URL requests. Remote attackers can exploit this vulnerability for cross-site scripting attacks, which can lead to the disclosure of sensitive information. Multiple scripts on the FortiGate firewall's WEB interface do not adequately filter the URI parameters. If you submit parameters containing malicious script code, when the administrator uses the browser to view these logs, these scripts may be executed on the browser and will be leaked. Username and MD5 HASH password information, which can be used to further attack the system. These issues could be exploited by enticing an administrative user to follow a malicious link that includes hostile HTML and script code as values for URI parameters. If such a link is followed, the hostile code may be rendered in the administrator's browser

Trust: 0.81

sources: CNVD: CNVD-2003-3349 // BID: 9033

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2003-3349

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortigate mr4	scope:	eq	version:	2.5	Trust: 0.6
vendor:	fortinet	model:	fortios	scope:	eq	version:	2.50	Trust: 0.3
vendor:	fortinet	model:	fortios	scope:	eq	version:	2.36	Trust: 0.3
vendor:	fortinet	model:	fortios 0mr4	scope:	eq	version:	2.5	Trust: 0.3
vendor:	fortinet	model:	fortios mr5	scope:	ne	version:	2.50	Trust: 0.3

sources: CNVD: CNVD-2003-3349 // BID: 9033

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2003-3349
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2003-3349
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2003-3349

THREAT TYPE

network

Trust: 0.3

sources: BID: 9033

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 9033

EXTERNAL IDS

db:	BID	id:	9033	Trust: 0.9
db:	CNVD	id:	CNVD-2003-3349	Trust: 0.6

sources: CNVD: CNVD-2003-3349 // BID: 9033

REFERENCES

url:	http://www.securityfocus.com/bid/9033/info	Trust: 0.6
url:	http://www.fortinet.com/	Trust: 0.3

sources: CNVD: CNVD-2003-3349 // BID: 9033

CREDITS

Discovery is credited to "Maarten Hartsuijker" <maartenh@phreaker.net>.

Trust: 0.3

sources: BID: 9033

SOURCES

db:	CNVD	id:	CNVD-2003-3349
db:	BID	id:	9033

LAST UPDATE DATE

2022-05-17T01:46:08.853000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2003-3349	date:	2003-11-12T00:00:00
db:	BID	id:	9033	date:	2003-11-12T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2003-3349	date:	2003-11-12T00:00:00
db:	BID	id:	9033	date:	2003-11-12T00:00:00