ID

VAR-201402-0185


CVE

CVE-2013-7181


TITLE

Mediatrix 4402 digital gateway web interface contains a cross-site scripting (XSS) vulnerability

Trust: 0.8

sources: CERT/CC: VU#252294

DESCRIPTION

Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter. Mediatrix's web management interface for the 4402 digital gateway device with firmware version Dgw 1.1.13.186, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79). Fortinet Provided by Fortiweb Contains a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb 5.0.3 is vulnerable; other versions may also be affected. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. The vulnerability stems from the fact that the value of the parameter 'filter' is not properly filtered when passed to user/ldap_user/add

Trust: 3.42

sources: NVD: CVE-2013-7181 // CERT/CC: VU#252294 // CERT/CC: VU#593118 // JVNDB: JVNDB-2014-001303 // BID: 65303 // VULHUB: VHN-67183

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.3

Trust: 1.6

vendor:media5model: - scope: - version: -

Trust: 0.8

vendor:fortinetmodel: - scope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:ltversion:5.1.0 earlier

Trust: 0.8

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2013-7181
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2013-7181
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1612
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201402-023
value: MEDIUM

Trust: 0.6

VULHUB: VHN-67183
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-7181
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2014-1612
severity: MEDIUM
baseScore: 4.3
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD: CVE-2013-7181
severity: MEDIUM
baseScore: 4.3
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-67183
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 3.5

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // NVD: CVE-2013-7181

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-023

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-023

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001303

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-67183

PATCH

title:FortiWeb Cross-Site Scripting Vulnerabilityurl:http://www.fortiguard.com/advisory/FG-IR-14-002/

Trust: 0.8

title:Web Application Security Firewall FortiWeburl:http://www.fortinet.com/products/fortiweb/

Trust: 0.8

sources: JVNDB: JVNDB-2014-001303

EXTERNAL IDS

db:NVDid:CVE-2013-7181

Trust: 2.8

db:CERT/CCid:VU#593118

Trust: 2.5

db:CERT/CCid:VU#252294

Trust: 1.6

db:BIDid:65303

Trust: 1.4

db:SECTRACKid:1029731

Trust: 1.1

db:OSVDBid:102820

Trust: 1.1

db:SECUNIAid:56732

Trust: 1.1

db:JVNid:JVNVU98993961

Trust: 0.8

db:JVNDBid:JVNDB-2014-001303

Trust: 0.8

db:CNNVDid:CNNVD-201402-023

Trust: 0.7

db:PACKETSTORMid:125049

Trust: 0.1

db:VULHUBid:VHN-67183

Trust: 0.1

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // BID: 65303 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-14-002/

Trust: 1.9

url:http://www.kb.cert.org/vuls/id/593118

Trust: 1.7

url:http://cwe.mitre.org/data/definitions/79.html

Trust: 1.6

url:http://www.securityfocus.com/bid/65303

Trust: 1.1

url:http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0015.html

Trust: 1.1

url:http://osvdb.org/102820

Trust: 1.1

url:http://www.securitytracker.com/id/1029731

Trust: 1.1

url:http://secunia.com/advisories/56732

Trust: 1.1

url:http://www.mediatrix.com/en/voip-gateways/mediatrix-4400-series

Trust: 0.8

url:http://www.securityfocus.com/archive/1/530871/30/0/threaded

Trust: 0.8

url:http://www.fortinet.com/products/fortiweb/

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7181

Trust: 0.8

url:http://jvn.jp/vu/jvnvu98993961/index.html

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-7181

Trust: 0.8

url:http://www.kb.cert.org/vuls/id/252294

Trust: 0.8

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

CREDITS

William Costa

Trust: 0.3

sources: BID: 65303

SOURCES

db:CERT/CCid:VU#252294
db:CERT/CCid:VU#593118
db:VULHUBid:VHN-67183
db:BIDid:65303
db:JVNDBid:JVNDB-2014-001303
db:CNNVDid:CNNVD-201402-023
db:NVDid:CVE-2013-7181

LAST UPDATE DATE

2024-09-09T23:10:47.782000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#252294date:2014-04-07T00:00:00
db:CERT/CCid:VU#593118date:2014-02-04T00:00:00
db:VULHUBid:VHN-67183date:2015-07-27T00:00:00
db:BIDid:65303date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001303date:2014-02-06T00:00:00
db:CNNVDid:CNNVD-201402-023date:2014-02-08T00:00:00
db:NVDid:CVE-2013-7181date:2015-07-27T16:12:36.170

SOURCES RELEASE DATE

db:CERT/CCid:VU#252294date:2014-02-03T00:00:00
db:CERT/CCid:VU#593118date:2014-02-03T00:00:00
db:VULHUBid:VHN-67183date:2014-02-04T00:00:00
db:BIDid:65303date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001303date:2014-02-05T00:00:00
db:CNNVDid:CNNVD-201402-023date:2014-02-08T00:00:00
db:NVDid:CVE-2013-7181date:2014-02-04T05:39:08.387