ID

VAR-201404-0184


CVE

CVE-2014-1957


TITLE

FortiGuard FortiWeb Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2014-002344

DESCRIPTION

FortiGuard FortiWeb before 5.0.3 allows remote authenticated users to gain privileges via unspecified vectors. FortiGuard FortiWeb Contains a privileged vulnerability.A user who has been remotely authenticated may be able to obtain permission. Fortinet Fortiweb is prone to multiple security vulnerabilities, including; 1. A cross-site scripting vulnerability 2. A security-bypass vulnerability 3. An HTTP Header Injection Vulnerability An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, bypass security restrictions to obtain sensitive information, or insert arbitrary headers into an HTTP response, which may help them launch other attacks. Fortinet Fortiweb 5.0.2 and prior are vulnerable. Fortinet FortiGuard FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc. Sensitive database content. Elevation of privilege vulnerability exists in Fortinet FortiGuard FortiWeb 5.0.2 and earlier versions

Trust: 1.98

sources: NVD: CVE-2014-1957 // JVNDB: JVNDB-2014-002344 // BID: 65660 // VULHUB: VHN-69896

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:5.0.2

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.2

Trust: 0.9

vendor:fortinetmodel:fortiwebscope:ltversion:5.0.3

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:4.4.7

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:5.0.3

Trust: 0.3

sources: BID: 65660 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1957
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1957
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-605
value: MEDIUM

Trust: 0.6

VULHUB: VHN-69896
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-1957
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-69896
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69896 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-69896 // JVNDB: JVNDB-2014-002344 // NVD: CVE-2014-1957

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-605

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201404-605

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002344

PATCH

title:FortiWeb Multiple Vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-13-009/

Trust: 0.8

sources: JVNDB: JVNDB-2014-002344

EXTERNAL IDS

db:NVDid:CVE-2014-1957

Trust: 2.8

db:JVNDBid:JVNDB-2014-002344

Trust: 0.8

db:CNNVDid:CNNVD-201404-605

Trust: 0.7

db:SECUNIAid:56981

Trust: 0.6

db:BIDid:65660

Trust: 0.3

db:VULHUBid:VHN-69896

Trust: 0.1

sources: VULHUB: VHN-69896 // BID: 65660 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-13-009/

Trust: 2.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1957

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1957

Trust: 0.8

url:http://secunia.com/advisories/56981

Trust: 0.6

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-69896 // BID: 65660 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

CREDITS

Robert van Hamburg of Intermax Security

Trust: 0.3

sources: BID: 65660

SOURCES

db:VULHUBid:VHN-69896
db:BIDid:65660
db:JVNDBid:JVNDB-2014-002344
db:CNNVDid:CNNVD-201404-605
db:NVDid:CVE-2014-1957

LAST UPDATE DATE

2024-08-14T14:21:08.726000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-69896date:2014-07-18T00:00:00
db:BIDid:65660date:2014-02-13T00:00:00
db:JVNDBid:JVNDB-2014-002344date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-605date:2014-05-06T00:00:00
db:NVDid:CVE-2014-1957date:2014-07-18T18:32:37.230

SOURCES RELEASE DATE

db:VULHUBid:VHN-69896date:2014-04-30T00:00:00
db:BIDid:65660date:2014-02-13T00:00:00
db:JVNDBid:JVNDB-2014-002344date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-605date:2014-04-30T00:00:00
db:NVDid:CVE-2014-1957date:2014-04-30T14:22:06.237