Details of VAR-201410-0762

ID

VAR-201410-0762

CVE

CVE-2014-2334

TITLE

Fortinet FortiAnalyzer of Web User Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005168

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. FortiManager and FortiAnalyzer are prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiManager and FortiAnalyzer 5.0.7 are vulnerable. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This solution is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite

Trust: 2.07

sources: NVD: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // BID: 70887 // VULHUB: VHN-70273 // VULMON: CVE-2014-2334

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	5.0.6	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	lt	version:	5.0.7	Trust: 0.8
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	5.0.6	Trust: 0.6

sources: JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2334
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2334
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-1438
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70273
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2014-2334
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2334
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-70273
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-70273 // JVNDB: JVNDB-2014-005168 // NVD: CVE-2014-2334

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1438

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1438

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005168

PATCH

title:	Multiple XSS vulnerabilities in FortiManager and FortiAnalyzer Web UI	url:	http://www.fortiguard.com/advisory/FG-IR-14-033/	Trust: 0.8
title:	Debian CVElist Bug Report Logs: lighttpd: SA_2014_01	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=33c9670155f0ef76c49f3f7f94255d9e	Trust: 0.1

sources: VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2334	Trust: 2.9
db:	BID	id:	70887	Trust: 1.5
db:	SECUNIA	id:	61309	Trust: 1.2
db:	JVNDB	id:	JVNDB-2014-005168	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-1438	Trust: 0.7
db:	VULHUB	id:	VHN-70273	Trust: 0.1
db:	VULMON	id:	CVE-2014-2334	Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // BID: 70887 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

REFERENCES

url:	http://www.fortiguard.com/advisory/fg-ir-14-033/	Trust: 1.8
url:	http://www.securityfocus.com/bid/70887	Trust: 1.3
url:	http://secunia.com/advisories/61309	Trust: 1.2
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/98477	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2334	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2334	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741493	Trust: 0.1

sources: VULHUB: VHN-70273 // VULMON: CVE-2014-2334 // JVNDB: JVNDB-2014-005168 // CNNVD: CNNVD-201410-1438 // NVD: CVE-2014-2334

CREDITS

Oded Vanunu & Adi Volkovitz, Check Point Security Research Team.

Trust: 0.3

sources: BID: 70887

SOURCES

db:	VULHUB	id:	VHN-70273
db:	VULMON	id:	CVE-2014-2334
db:	BID	id:	70887
db:	JVNDB	id:	JVNDB-2014-005168
db:	CNNVD	id:	CNNVD-201410-1438
db:	NVD	id:	CVE-2014-2334

LAST UPDATE DATE

2024-08-14T14:46:40.824000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70273	date:	2017-08-29T00:00:00
db:	VULMON	id:	CVE-2014-2334	date:	2017-08-29T00:00:00
db:	BID	id:	70887	date:	2014-11-27T08:59:00
db:	JVNDB	id:	JVNDB-2014-005168	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1438	date:	2014-11-02T00:00:00
db:	NVD	id:	CVE-2014-2334	date:	2017-08-29T01:34:30.700

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70273	date:	2014-10-31T00:00:00
db:	VULMON	id:	CVE-2014-2334	date:	2014-10-31T00:00:00
db:	BID	id:	70887	date:	2014-10-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-005168	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1438	date:	2014-10-31T00:00:00
db:	NVD	id:	CVE-2014-2334	date:	2014-10-31T14:55:02.797