ID

VAR-201410-0763


CVE

CVE-2014-2335


TITLE

Fortinet FortiManager of Web User Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005169

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. FortiManager and FortiAnalyzer are prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiManager and FortiAnalyzer 5.0.7 are vulnerable. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management

Trust: 1.98

sources: NVD: CVE-2014-2335 // JVNDB: JVNDB-2014-005169 // BID: 70890 // VULHUB: VHN-70274

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:lteversion:5.0.6

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:eqversion:5.0.6

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:ltversion:5.0.7

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortianalyzerscope:eqversion:5.0.5

Trust: 0.3

vendor:fortinetmodel:fortianalyzerscope:eqversion:5.0.4

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.0.7

Trust: 0.3

vendor:fortinetmodel:fortianalyzerscope:neversion:5.0.7

Trust: 0.3

sources: BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2335
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2335
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-1439
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70274
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2335
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70274
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70274 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70274 // JVNDB: JVNDB-2014-005169 // NVD: CVE-2014-2335

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1439

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1439

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005169

PATCH

title:Multiple XSS vulnerabilities in FortiManager and FortiAnalyzer Web UIurl:http://www.fortiguard.com/advisory/FG-IR-14-033/

Trust: 0.8

sources: JVNDB: JVNDB-2014-005169

EXTERNAL IDS

db:NVDid:CVE-2014-2335

Trust: 2.8

db:SECUNIAid:61309

Trust: 1.1

db:JVNDBid:JVNDB-2014-005169

Trust: 0.8

db:CNNVDid:CNNVD-201410-1439

Trust: 0.7

db:BIDid:70890

Trust: 0.4

db:VULHUBid:VHN-70274

Trust: 0.1

sources: VULHUB: VHN-70274 // BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-14-033/

Trust: 2.0

url:http://secunia.com/advisories/61309

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98478

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2335

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2335

Trust: 0.8

url:http://www.fortinet.com/products/fortianalyzer/

Trust: 0.3

url:http://www.fortinet.com/products/fortimanager/

Trust: 0.3

sources: VULHUB: VHN-70274 // BID: 70890 // JVNDB: JVNDB-2014-005169 // CNNVD: CNNVD-201410-1439 // NVD: CVE-2014-2335

CREDITS

Oded Vanunu and Adi Volkovitz of Check Point Security Research Team.

Trust: 0.3

sources: BID: 70890

SOURCES

db:VULHUBid:VHN-70274
db:BIDid:70890
db:JVNDBid:JVNDB-2014-005169
db:CNNVDid:CNNVD-201410-1439
db:NVDid:CVE-2014-2335

LAST UPDATE DATE

2024-08-14T14:46:40.856000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-70274date:2017-08-29T00:00:00
db:BIDid:70890date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005169date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1439date:2014-11-02T00:00:00
db:NVDid:CVE-2014-2335date:2017-08-29T01:34:30.810

SOURCES RELEASE DATE

db:VULHUBid:VHN-70274date:2014-10-31T00:00:00
db:BIDid:70890date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005169date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1439date:2014-10-31T00:00:00
db:NVDid:CVE-2014-2335date:2014-10-31T14:55:02.860