Details of VAR-201410-0763

ID

VAR-201410-0763

CVE

CVE-2014-2335

TITLE

Fortinet FortiManager of Web User Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005169

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. FortiManager and FortiAnalyzer are prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiManager and FortiAnalyzer 5.0.7 are vulnerable. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management

Trust: 1.98

sources: NVD: CVE-2014-2335 // JVNDB: JVNDB-2014-005169 // BID: 70890 // VULHUB: VHN-70274

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortianalyzer	scope:	lte	version:	5.0.6	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	5.0.6	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	lt	version:	5.0.7	Trust: 0.8
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.6	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	4.3	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	3.0	Trust: 0.3
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	5.0.5	Trust: 0.3
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	5.0.4	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	ne	version:	5.0.7	Trust: 0.3
vendor:	fortinet	model:	fortianalyzer	scope:	ne	version:	5.0.7	Trust: 0.3

sources: BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2335
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2335
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-1439
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70274
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2335
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-70274
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70274 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-70274 // JVNDB: JVNDB-2014-005169 // NVD: CVE-2014-2335

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1439

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1439

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005169

PATCH

title:

Multiple XSS vulnerabilities in FortiManager and FortiAnalyzer Web UI

url:

http://www.fortiguard.com/advisory/FG-IR-14-033/

Trust: 0.8

sources: JVNDB: JVNDB-2014-005169

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2335	Trust: 2.8
db:	SECUNIA	id:	61309	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-005169	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-1439	Trust: 0.7
db:	BID	id:	70890	Trust: 0.4
db:	VULHUB	id:	VHN-70274	Trust: 0.1

sources: VULHUB: VHN-70274 // BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

REFERENCES

url:	http://www.fortiguard.com/advisory/fg-ir-14-033/	Trust: 2.0
url:	http://secunia.com/advisories/61309	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/98478	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2335	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2335	Trust: 0.8
url:	http://www.fortinet.com/products/fortianalyzer/	Trust: 0.3
url:	http://www.fortinet.com/products/fortimanager/	Trust: 0.3

sources: VULHUB: VHN-70274 // BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

CREDITS

Oded Vanunu and Adi Volkovitz of Check Point Security Research Team.

Trust: 0.3

sources: BID: 70890

SOURCES

db:	VULHUB	id:	VHN-70274
db:	BID	id:	70890
db:	JVNDB	id:	JVNDB-2014-005169
db:	CNNVD	id:	CNNVD-201410-1439
db:	NVD	id:	CVE-2014-2335

LAST UPDATE DATE

2024-08-14T14:46:40.856000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70274	date:	2017-08-29T00:00:00
db:	BID	id:	70890	date:	2014-10-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-005169	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1439	date:	2014-11-02T00:00:00
db:	NVD	id:	CVE-2014-2335	date:	2017-08-29T01:34:30.810

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70274	date:	2014-10-31T00:00:00
db:	BID	id:	70890	date:	2014-10-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-005169	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1439	date:	2014-10-31T00:00:00
db:	NVD	id:	CVE-2014-2335	date:	2014-10-31T14:55:02.860