ID

VAR-201402-0338


CVE

CVE-2014-1458


TITLE

FortiGuard FortiWeb of Web Management interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001315

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web administration interface in FortiGuard FortiWeb 5.0.3 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors. Fortinet Fortiweb is prone to an HTML-injection vulnerability because they fail to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Fortinet Fortiweb 5.0.3 is vulnerable; other versions may also be affected. Fortinet FortiGuard FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc. Sensitive database content

Trust: 1.98

sources: NVD: CVE-2014-1458 // JVNDB: JVNDB-2014-001315 // BID: 65354 // VULHUB: VHN-69397

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:5.0.3

Trust: 1.8

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.3

Trust: 0.9

vendor:fortinetmodel:fortiwebscope:neversion:5.0.4

Trust: 0.3

sources: BID: 65354 // JVNDB: JVNDB-2014-001315 // CNNVD: CNNVD-201402-033 // NVD: CVE-2014-1458

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1458
value: LOW

Trust: 1.0

NVD: CVE-2014-1458
value: LOW

Trust: 0.8

CNNVD: CNNVD-201402-033
value: LOW

Trust: 0.6

VULHUB: VHN-69397
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-1458
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-69397
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69397 // JVNDB: JVNDB-2014-001315 // CNNVD: CNNVD-201402-033 // NVD: CVE-2014-1458

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-69397 // JVNDB: JVNDB-2014-001315 // NVD: CVE-2014-1458

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-033

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-033

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001315

PATCH

title:FortiWeb Stored Cross-Site Scripting Vulnerabilityurl:http://www.fortiguard.com/advisory/FG-IR-14-001/

Trust: 0.8

sources: JVNDB: JVNDB-2014-001315

EXTERNAL IDS

db:NVDid:CVE-2014-1458

Trust: 2.8

db:JVNDBid:JVNDB-2014-001315

Trust: 0.8

db:CNNVDid:CNNVD-201402-033

Trust: 0.7

db:BIDid:65354

Trust: 0.4

db:SEEBUGid:SSVID-61506

Trust: 0.1

db:VULHUBid:VHN-69397

Trust: 0.1

sources: VULHUB: VHN-69397 // BID: 65354 // JVNDB: JVNDB-2014-001315 // CNNVD: CNNVD-201402-033 // NVD: CVE-2014-1458

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-14-001/

Trust: 2.0

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/90978

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1458

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1458

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-69397 // BID: 65354 // JVNDB: JVNDB-2014-001315 // CNNVD: CNNVD-201402-033 // NVD: CVE-2014-1458

CREDITS

Enrique E. Nissim.

Trust: 0.3

sources: BID: 65354

SOURCES

db:VULHUBid:VHN-69397
db:BIDid:65354
db:JVNDBid:JVNDB-2014-001315
db:CNNVDid:CNNVD-201402-033
db:NVDid:CVE-2014-1458

LAST UPDATE DATE

2024-08-14T13:35:20.182000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-69397date:2017-08-29T00:00:00
db:BIDid:65354date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001315date:2014-02-06T00:00:00
db:CNNVDid:CNNVD-201402-033date:2014-02-12T00:00:00
db:NVDid:CVE-2014-1458date:2017-08-29T01:34:25.327

SOURCES RELEASE DATE

db:VULHUBid:VHN-69397date:2014-02-04T00:00:00
db:BIDid:65354date:2014-02-03T00:00:00
db:JVNDBid:JVNDB-2014-001315date:2014-02-06T00:00:00
db:CNNVDid:CNNVD-201402-033date:2014-02-12T00:00:00
db:NVDid:CVE-2014-1458date:2014-02-04T21:55:08.077