Details of VAR-201402-0185

ID

VAR-201402-0185

CVE

CVE-2013-7181

TITLE

Mediatrix 4402 digital gateway web interface contains a cross-site scripting (XSS) vulnerability

Trust: 0.8

sources: CERT/CC: VU#252294

DESCRIPTION

Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter. Mediatrix's web management interface for the 4402 digital gateway device with firmware version Dgw 1.1.13.186, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79). Fortinet Provided by Fortiweb Contains a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb 5.0.3 is vulnerable; other versions may also be affected. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. The vulnerability stems from the fact that the value of the parameter 'filter' is not properly filtered when passed to user/ldap_user/add

Trust: 3.42

sources: NVD: CVE-2013-7181 // CERT/CC: VU#252294 // CERT/CC: VU#593118 // JVNDB: JVNDB-2014-001303 // BID: 65303 // VULHUB: VHN-67183

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	eq	version:	5.0.3	Trust: 1.6
vendor:	media5	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	fortinet	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortiweb	scope:	lt	version:	5.1.0 earlier	Trust: 0.8

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2013-7181
value:	MEDIUM
Trust: 1.6
nvd@nist.gov:	CVE-2013-7181
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1612
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201402-023
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-67183
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-7181
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
NVD:	CVE-2014-1612
severity:	MEDIUM
baseScore:	4.3
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
NVD:	CVE-2013-7181
severity:	MEDIUM
baseScore:	4.3
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-67183
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 3.5

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // NVD: CVE-2013-7181

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-023

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-023

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001303

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-67183

PATCH

title:	FortiWeb Cross-Site Scripting Vulnerability	url:	http://www.fortiguard.com/advisory/FG-IR-14-002/	Trust: 0.8
title:	Web Application Security Firewall FortiWeb	url:	http://www.fortinet.com/products/fortiweb/	Trust: 0.8

sources: JVNDB: JVNDB-2014-001303

EXTERNAL IDS

db:	NVD	id:	CVE-2013-7181	Trust: 2.8
db:	CERT/CC	id:	VU#593118	Trust: 2.5
db:	CERT/CC	id:	VU#252294	Trust: 1.6
db:	BID	id:	65303	Trust: 1.4
db:	SECTRACK	id:	1029731	Trust: 1.1
db:	OSVDB	id:	102820	Trust: 1.1
db:	SECUNIA	id:	56732	Trust: 1.1
db:	JVN	id:	JVNVU98993961	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001303	Trust: 0.8
db:	CNNVD	id:	CNNVD-201402-023	Trust: 0.7
db:	PACKETSTORM	id:	125049	Trust: 0.1
db:	VULHUB	id:	VHN-67183	Trust: 0.1

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // BID: 65303 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

REFERENCES

url:	http://www.fortiguard.com/advisory/fg-ir-14-002/	Trust: 1.9
url:	http://www.kb.cert.org/vuls/id/593118	Trust: 1.7
url:	http://cwe.mitre.org/data/definitions/79.html	Trust: 1.6
url:	http://www.securityfocus.com/bid/65303	Trust: 1.1
url:	http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0015.html	Trust: 1.1
url:	http://osvdb.org/102820	Trust: 1.1
url:	http://www.securitytracker.com/id/1029731	Trust: 1.1
url:	http://secunia.com/advisories/56732	Trust: 1.1
url:	http://www.mediatrix.com/en/voip-gateways/mediatrix-4400-series	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/530871/30/0/threaded	Trust: 0.8
url:	http://www.fortinet.com/products/fortiweb/	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7181	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu98993961/index.html	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-7181	Trust: 0.8
url:	http://www.kb.cert.org/vuls/id/252294	Trust: 0.8

sources: CERT/CC: VU#252294 // CERT/CC: VU#593118 // VULHUB: VHN-67183 // JVNDB: JVNDB-2014-001303 // CNNVD: CNNVD-201402-023 // NVD: CVE-2013-7181

CREDITS

William Costa

Trust: 0.3

sources: BID: 65303

SOURCES

db:	CERT/CC	id:	VU#252294
db:	CERT/CC	id:	VU#593118
db:	VULHUB	id:	VHN-67183
db:	BID	id:	65303
db:	JVNDB	id:	JVNDB-2014-001303
db:	CNNVD	id:	CNNVD-201402-023
db:	NVD	id:	CVE-2013-7181

LAST UPDATE DATE

2024-09-09T23:10:47.782000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#252294	date:	2014-04-07T00:00:00
db:	CERT/CC	id:	VU#593118	date:	2014-02-04T00:00:00
db:	VULHUB	id:	VHN-67183	date:	2015-07-27T00:00:00
db:	BID	id:	65303	date:	2014-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2014-001303	date:	2014-02-06T00:00:00
db:	CNNVD	id:	CNNVD-201402-023	date:	2014-02-08T00:00:00
db:	NVD	id:	CVE-2013-7181	date:	2015-07-27T16:12:36.170

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#252294	date:	2014-02-03T00:00:00
db:	CERT/CC	id:	VU#593118	date:	2014-02-03T00:00:00
db:	VULHUB	id:	VHN-67183	date:	2014-02-04T00:00:00
db:	BID	id:	65303	date:	2014-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2014-001303	date:	2014-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201402-023	date:	2014-02-08T00:00:00
db:	NVD	id:	CVE-2013-7181	date:	2014-02-04T05:39:08.387