ID

VAR-201410-0762


CVE

CVE-2014-2334


TITLE

Fortinet FortiAnalyzer of Web User Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005168

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. FortiManager and FortiAnalyzer are prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiManager and FortiAnalyzer 5.0.7 are vulnerable. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This solution is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite

Trust: 2.07

sources: NVD: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // BID: 70887 // VULHUB: VHN-70273 // VULMON: CVE-2014-2334

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:lteversion:5.0.6

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:ltversion:5.0.7

Trust: 0.8

vendor:fortinetmodel:fortianalyzerscope:eqversion:5.0.6

Trust: 0.6

sources: JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2334
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2334
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-1438
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70273
value: MEDIUM

Trust: 0.1

VULMON: CVE-2014-2334
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2334
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-70273
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70273 // JVNDB: JVNDB-2014-005168 // NVD: CVE-2014-2334

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1438

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1438

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005168

PATCH

title:Multiple XSS vulnerabilities in FortiManager and FortiAnalyzer Web UIurl:http://www.fortiguard.com/advisory/FG-IR-14-033/

Trust: 0.8

title:Debian CVElist Bug Report Logs: lighttpd: SA_2014_01url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=33c9670155f0ef76c49f3f7f94255d9e

Trust: 0.1

sources: VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168

EXTERNAL IDS

db:NVDid:CVE-2014-2334

Trust: 2.9

db:BIDid:70887

Trust: 1.5

db:SECUNIAid:61309

Trust: 1.2

db:JVNDBid:JVNDB-2014-005168

Trust: 0.8

db:CNNVDid:CNNVD-201410-1438

Trust: 0.7

db:VULHUBid:VHN-70273

Trust: 0.1

db:VULMONid:CVE-2014-2334

Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // BID: 70887 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-14-033/

Trust: 1.8

url:http://www.securityfocus.com/bid/70887

Trust: 1.3

url:http://secunia.com/advisories/61309

Trust: 1.2

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98477

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2334

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2334

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741493

Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

CREDITS

Oded Vanunu & Adi Volkovitz, Check Point Security Research Team.

Trust: 0.3

sources: BID: 70887

SOURCES

db:VULHUBid:VHN-70273
db:VULMONid:CVE-2014-2334
db:BIDid:70887
db:JVNDBid:JVNDB-2014-005168
db:CNNVDid:CNNVD-201410-1438
db:NVDid:CVE-2014-2334

LAST UPDATE DATE

2024-08-14T14:46:40.824000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-70273date:2017-08-29T00:00:00
db:VULMONid:CVE-2014-2334date:2017-08-29T00:00:00
db:BIDid:70887date:2014-11-27T08:59:00
db:JVNDBid:JVNDB-2014-005168date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1438date:2014-11-02T00:00:00
db:NVDid:CVE-2014-2334date:2017-08-29T01:34:30.700

SOURCES RELEASE DATE

db:VULHUBid:VHN-70273date:2014-10-31T00:00:00
db:VULMONid:CVE-2014-2334date:2014-10-31T00:00:00
db:BIDid:70887date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005168date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1438date:2014-10-31T00:00:00
db:NVDid:CVE-2014-2334date:2014-10-31T14:55:02.797