Sign-up

ID

VAR-201404-0184


CVE

CVE-2014-1957


TITLE

FortiGuard FortiWeb Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2014-002344

DESCRIPTION

FortiGuard FortiWeb before 5.0.3 allows remote authenticated users to gain privileges via unspecified vectors. FortiGuard FortiWeb Contains a privileged vulnerability.A user who has been remotely authenticated may be able to obtain permission. Fortinet Fortiweb is prone to multiple security vulnerabilities, including; 1. A cross-site scripting vulnerability 2. A security-bypass vulnerability 3. An HTTP Header Injection Vulnerability An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, bypass security restrictions to obtain sensitive information, or insert arbitrary headers into an HTTP response, which may help them launch other attacks. Fortinet Fortiweb 5.0.2 and prior are vulnerable. Fortinet FortiGuard FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc. Sensitive database content. Elevation of privilege vulnerability exists in Fortinet FortiGuard FortiWeb 5.0.2 and earlier versions

Trust: 1.98

sources: NVD: CVE-2014-1957 // JVNDB: JVNDB-2014-002344 // BID: 65660 // VULHUB: VHN-69896

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:5.0.2

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.2

Trust: 0.9

vendor:fortinetmodel:fortiwebscope:ltversion:5.0.3

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:4.4.7

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:5.0.3

Trust: 0.3

sources: BID: 65660 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1957
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1957
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-605
value: MEDIUM

Trust: 0.6

VULHUB: VHN-69896
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-1957
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-69896
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69896 // JVNDB: JVNDB-2014-002344 // CNNVD: CNNVD-201404-605 // NVD: CVE-2014-1957

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-69896 // JVNDB: JVNDB-2014-002344 // NVD: CVE-2014-1957

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-605

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201404-605

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002344

PATCH
title:FortiWeb Multiple Vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-13-009/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002344

EXTERNAL IDS
db:NVDid:CVE-2014-1957
Trust: 2.8
db:JVNDBid:JVNDB-2014-002344
Trust: 0.8
db:CNNVDid:CNNVD-201404-605
Trust: 0.7
db:SECUNIAid:56981
Trust: 0.6
db:BIDid:65660
Trust: 0.3
db:VULHUBid:VHN-69896
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69896 // 
            
            
            
            BID: 65660 // 
            
            
            
            JVNDB: JVNDB-2014-002344 // 
            
            
            
            CNNVD: CNNVD-201404-605 // 
            
            
            
            NVD: CVE-2014-1957

REFERENCES
url:http://www.fortiguard.com/advisory/fg-ir-13-009/
Trust: 2.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1957
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1957
Trust: 0.8
url:http://secunia.com/advisories/56981
Trust: 0.6
url:http://www.fortinet.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-69896 // 
            
            
            
            BID: 65660 // 
            
            
            
            JVNDB: JVNDB-2014-002344 // 
            
            
            
            CNNVD: CNNVD-201404-605 // 
            
            
            
            NVD: CVE-2014-1957

CREDITS
Robert van Hamburg of Intermax Security
Trust: 0.3
sources:
            
            
            BID: 65660

SOURCES
db:VULHUBid:VHN-69896
db:BIDid:65660
db:JVNDBid:JVNDB-2014-002344
db:CNNVDid:CNNVD-201404-605
db:NVDid:CVE-2014-1957

LAST UPDATE DATE
2024-08-14T14:21:08.726000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-69896date:2014-07-18T00:00:00
db:BIDid:65660date:2014-02-13T00:00:00
db:JVNDBid:JVNDB-2014-002344date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-605date:2014-05-06T00:00:00
db:NVDid:CVE-2014-1957date:2014-07-18T18:32:37.230

SOURCES RELEASE DATE
db:VULHUBid:VHN-69896date:2014-04-30T00:00:00
db:BIDid:65660date:2014-02-13T00:00:00
db:JVNDBid:JVNDB-2014-002344date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-605date:2014-04-30T00:00:00
db:NVDid:CVE-2014-1957date:2014-04-30T14:22:06.237