ID

VAR-200311-0103


TITLE

FortiGate Firewall Web Interface Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2003-3349

DESCRIPTION

The FortiGate Firewall is a hardware firewall solution. The WEB interface included in the FortiGate firewall does not adequately filter URL requests. Remote attackers can exploit this vulnerability for cross-site scripting attacks, which can lead to the disclosure of sensitive information. Multiple scripts on the FortiGate firewall's WEB interface do not adequately filter the URI parameters. If you submit parameters containing malicious script code, when the administrator uses the browser to view these logs, these scripts may be executed on the browser and will be leaked. Username and MD5 HASH password information, which can be used to further attack the system. These issues could be exploited by enticing an administrative user to follow a malicious link that includes hostile HTML and script code as values for URI parameters. If such a link is followed, the hostile code may be rendered in the administrator's browser

Trust: 0.81

sources: CNVD: CNVD-2003-3349 // BID: 9033

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2003-3349

AFFECTED PRODUCTS

vendor:fortinetmodel:fortigate mr4scope:eqversion:2.5

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.36

Trust: 0.3

vendor:fortinetmodel:fortios 0mr4scope:eqversion:2.5

Trust: 0.3

vendor:fortinetmodel:fortios mr5scope:neversion:2.50

Trust: 0.3

sources: CNVD: CNVD-2003-3349 // BID: 9033

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2003-3349
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2003-3349
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2003-3349

THREAT TYPE

network

Trust: 0.3

sources: BID: 9033

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 9033

EXTERNAL IDS

db:BIDid:9033

Trust: 0.9

db:CNVDid:CNVD-2003-3349

Trust: 0.6

sources: CNVD: CNVD-2003-3349 // BID: 9033

REFERENCES

url:http://www.securityfocus.com/bid/9033/info

Trust: 0.6

url:http://www.fortinet.com/

Trust: 0.3

sources: CNVD: CNVD-2003-3349 // BID: 9033

CREDITS

Discovery is credited to "Maarten Hartsuijker" <maartenh@phreaker.net>.

Trust: 0.3

sources: BID: 9033

SOURCES

db:CNVDid:CNVD-2003-3349
db:BIDid:9033

LAST UPDATE DATE

2022-05-17T01:46:08.853000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2003-3349date:2003-11-12T00:00:00
db:BIDid:9033date:2003-11-12T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2003-3349date:2003-11-12T00:00:00
db:BIDid:9033date:2003-11-12T00:00:00