Sign-up

ID

VAR-201402-0186


CVE

CVE-2013-7182


TITLE

Fortinet FortiOS Cross-site scripting vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2014-001304 // CNNVD: CNNVD-201402-024

DESCRIPTION

Cross-site scripting (XSS) vulnerability in firewall/schedule/recurrdlg in Fortinet FortiOS 5.0.5 allows remote attackers to inject arbitrary web script or HTML via the mkey parameter. (CWE-79). Fortinet Provided by FortiOS Contains a cross-site scripting vulnerability. Fortinet Provided by FortiOS Is /firewall/schedule/recurrdlg of mkey There is a problem with parameter processing and cross-site scripting (CWE-79) Vulnerabilities exist. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS 5.0.5 is vulnerable; other versions may also be affected. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. The vulnerability is due to the fact that the value of the parameter 'mkey' is not properly sanitized when passed to firewall/schedule/recurrdlg

Trust: 2.7

sources: NVD: CVE-2013-7182 // CERT/CC: VU#728638 // JVNDB: JVNDB-2014-001304 // BID: 65308 // VULHUB: VHN-67184

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.0.5

Trust: 1.9

vendor:fortinetmodel: - scope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:5.0.6 earlier

Trust: 0.8

vendor:fortinetmodel:fortiosscope:neversion:5.0.6

Trust: 0.3

sources: CERT/CC: VU#728638 // BID: 65308 // JVNDB: JVNDB-2014-001304 // CNNVD: CNNVD-201402-024 // NVD: CVE-2013-7182

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2013-7182
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2013-7182
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201402-024
value: MEDIUM

Trust: 0.6

VULHUB: VHN-67184
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-7182
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2013-7182
severity: MEDIUM
baseScore: 4.3
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-67184
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#728638 // VULHUB: VHN-67184 // JVNDB: JVNDB-2014-001304 // CNNVD: CNNVD-201402-024 // NVD: CVE-2013-7182

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 2.7

sources: CERT/CC: VU#728638 // VULHUB: VHN-67184 // JVNDB: JVNDB-2014-001304 // NVD: CVE-2013-7182

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-024

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-024

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001304

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-67184

PATCH
title:FortiGate Cross-Site Scripting Vulnerabilityurl:http://www.fortiguard.com/advisory/FG-IR-14-003/
Trust: 0.8
title:FortiOS 5 Network Security Operating Systemurl:http://www.fortinet.com/technology/network-os-fortios.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001304

EXTERNAL IDS
db:CERT/CCid:VU#728638
Trust: 3.6
db:NVDid:CVE-2013-7182
Trust: 2.8
db:BIDid:65308
Trust: 1.4
db:OSVDBid:102819
Trust: 1.1
db:SECUNIAid:56739
Trust: 1.1
db:SECTRACKid:1029730
Trust: 1.1
db:JVNid:JVNVU93422585
Trust: 0.8
db:JVNDBid:JVNDB-2014-001304
Trust: 0.8
db:CNNVDid:CNNVD-201402-024
Trust: 0.7
db:PACKETSTORMid:125050
Trust: 0.1
db:VULHUBid:VHN-67184
Trust: 0.1
sources:
            
            
            CERT/CC: VU#728638 // 
            
            
            
            VULHUB: VHN-67184 // 
            
            
            
            BID: 65308 // 
            
            
            
            JVNDB: JVNDB-2014-001304 // 
            
            
            
            CNNVD: CNNVD-201402-024 // 
            
            
            
            NVD: CVE-2013-7182

REFERENCES
url:http://www.kb.cert.org/vuls/id/728638
Trust: 2.8
url:http://www.fortiguard.com/advisory/fg-ir-14-003/
Trust: 2.2
url:http://www.securityfocus.com/bid/65308
Trust: 1.1
url:http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0016.html
Trust: 1.1
url:http://osvdb.org/102819
Trust: 1.1
url:http://www.securitytracker.com/id/1029730
Trust: 1.1
url:http://secunia.com/advisories/56739
Trust: 1.1
url:http://cwe.mitre.org/data/definitions/79.html
Trust: 0.8
url:http://www.fortinet.com/technology/network-os-fortios.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7182
Trust: 0.8
url:http://jvn.jp/vu/jvnvu93422585/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7182
Trust: 0.8
url:https://www.fortinet.com/products/fortigate/fortios.html
Trust: 0.3
sources:
            
            
            CERT/CC: VU#728638 // 
            
            
            
            VULHUB: VHN-67184 // 
            
            
            
            BID: 65308 // 
            
            
            
            JVNDB: JVNDB-2014-001304 // 
            
            
            
            CNNVD: CNNVD-201402-024 // 
            
            
            
            NVD: CVE-2013-7182

CREDITS
William Costa
Trust: 0.3
sources:
            
            
            BID: 65308

SOURCES
db:CERT/CCid:VU#728638
db:VULHUBid:VHN-67184
db:BIDid:65308
db:JVNDBid:JVNDB-2014-001304
db:CNNVDid:CNNVD-201402-024
db:NVDid:CVE-2013-7182

LAST UPDATE DATE
2024-09-09T22:53:26.180000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#728638date:2014-02-04T00:00:00
db:VULHUBid:VHN-67184date:2014-02-12T00:00:00
db:BIDid:65308date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001304date:2014-02-06T00:00:00
db:CNNVDid:CNNVD-201402-024date:2014-02-08T00:00:00
db:NVDid:CVE-2013-7182date:2014-02-12T04:50:05.920

SOURCES RELEASE DATE
db:CERT/CCid:VU#728638date:2014-02-03T00:00:00
db:VULHUBid:VHN-67184date:2014-02-04T00:00:00
db:BIDid:65308date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001304date:2014-02-05T00:00:00
db:CNNVDid:CNNVD-201402-024date:2014-02-08T00:00:00
db:NVDid:CVE-2013-7182date:2014-02-04T05:39:08.403