ID

VAR-201407-0047


CVE

CVE-2014-4738


TITLE

FortiGuard FortiWeb Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-003332

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in FortiGuard FortiWeb 5.0.x, 5.1.x, and 5.2.x before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) user/ldap_user/check_dlg or (2) user/radius_user/check_dlg. Fortinet Fortiweb is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb 5.0.x, 5.1.x and 5.2.0 are vulnerable. Fortinet FortiGuard FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc. Sensitive database content. A cross-site scripting vulnerability exists in the user/ldap_user/check_dlg and user/radius_user/check_dlg URIs of Fortinet FortiGuard FortiWeb 5.0.x to 5.2.0

Trust: 1.98

sources: NVD: CVE-2014-4738 // JVNDB: JVNDB-2014-003332 // BID: 68528 // VULHUB: VHN-72679

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.4

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.3

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.2

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.0

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.4

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.3

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.2

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.1

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.0

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.0

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.1

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:ltversion:5.2.x

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.x

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.x

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:eqversion:5.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:5.2.1

Trust: 0.3

sources: BID: 68528 // JVNDB: JVNDB-2014-003332 // CNNVD: CNNVD-201407-287 // NVD: CVE-2014-4738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4738
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4738
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201407-287
value: MEDIUM

Trust: 0.6

VULHUB: VHN-72679
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-4738
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-72679
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-72679 // JVNDB: JVNDB-2014-003332 // CNNVD: CNNVD-201407-287 // NVD: CVE-2014-4738

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-72679 // JVNDB: JVNDB-2014-003332 // NVD: CVE-2014-4738

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-287

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201407-287

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003332

PATCH

title:FortiWeb Cross-Site Scripting Vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-14-012/

Trust: 0.8

sources: JVNDB: JVNDB-2014-003332

EXTERNAL IDS

db:NVDid:CVE-2014-4738

Trust: 2.8

db:SECUNIAid:59882

Trust: 1.7

db:BIDid:68528

Trust: 1.4

db:SECTRACKid:1030556

Trust: 1.1

db:JVNDBid:JVNDB-2014-003332

Trust: 0.8

db:CNNVDid:CNNVD-201407-287

Trust: 0.7

db:VULHUBid:VHN-72679

Trust: 0.1

sources: VULHUB: VHN-72679 // BID: 68528 // JVNDB: JVNDB-2014-003332 // CNNVD: CNNVD-201407-287 // NVD: CVE-2014-4738

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-14-012/

Trust: 2.0

url:http://secunia.com/advisories/59882

Trust: 1.7

url:http://www.securityfocus.com/bid/68528

Trust: 1.1

url:http://www.securitytracker.com/id/1030556

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/94649

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4738

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4738

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-72679 // BID: 68528 // JVNDB: JVNDB-2014-003332 // CNNVD: CNNVD-201407-287 // NVD: CVE-2014-4738

CREDITS

William Costa

Trust: 0.3

sources: BID: 68528

SOURCES

db:VULHUBid:VHN-72679
db:BIDid:68528
db:JVNDBid:JVNDB-2014-003332
db:CNNVDid:CNNVD-201407-287
db:NVDid:CVE-2014-4738

LAST UPDATE DATE

2024-08-14T15:44:50.551000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-72679date:2017-08-29T00:00:00
db:BIDid:68528date:2014-07-10T00:00:00
db:JVNDBid:JVNDB-2014-003332date:2014-07-15T00:00:00
db:CNNVDid:CNNVD-201407-287date:2014-07-14T00:00:00
db:NVDid:CVE-2014-4738date:2017-08-29T01:35:05.640

SOURCES RELEASE DATE

db:VULHUBid:VHN-72679date:2014-07-11T00:00:00
db:BIDid:68528date:2014-07-10T00:00:00
db:JVNDBid:JVNDB-2014-003332date:2014-07-15T00:00:00
db:CNNVDid:CNNVD-201407-287date:2014-07-14T00:00:00
db:NVDid:CVE-2014-4738date:2014-07-11T20:55:02.890