ID

VAR-201503-0155


CVE

CVE-2014-8617


TITLE

Fortinet FortiMail of WebGUI of Web Action Quarantine Release Cross-site scripting vulnerability in functionality

Trust: 0.8

sources: JVNDB: JVNDB-2014-007954

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/releasecontrol. Fortinet FortiMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions. The vulnerability is caused by the fact that the module/releasecontrol URI does not sufficiently filter the 'release' parameter. The following versions are affected: Fortinet FortiMail prior to 4.3.9, 5.0.x prior to 5.0.8, 5.1.x prior to 5.1.5, 5.2.x prior to 5.2.3

Trust: 1.98

sources: NVD: CVE-2014-8617 // JVNDB: JVNDB-2014-007954 // BID: 72820 // VULHUB: VHN-76562

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimailscope:eqversion:5.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.0.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.1.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.0.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.1.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.1.3

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.1.4

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.0.6

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.7

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.3

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.4

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.5

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:4.3.8

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.3

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.1.5

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.0.8

Trust: 0.8

vendor:fortinetmodel:fortimailscope:ltversion:5.0.x

Trust: 0.8

vendor:fortinetmodel:fortimailscope:ltversion:5.2.x

Trust: 0.8

vendor:fortinetmodel:fortimailscope:ltversion:5.1.x

Trust: 0.8

sources: JVNDB: JVNDB-2014-007954 // CNNVD: CNNVD-201503-022 // NVD: CVE-2014-8617

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8617
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8617
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201503-022
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76562
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8617
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76562
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76562 // JVNDB: JVNDB-2014-007954 // CNNVD: CNNVD-201503-022 // NVD: CVE-2014-8617

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-76562 // JVNDB: JVNDB-2014-007954 // NVD: CVE-2014-8617

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-022

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201503-022

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-007954

PATCH

title:XSS vulnerability in web action quarantine release feature of FortiMailurl:http://www.fortiguard.com/advisory/FG-IR-15-005/

Trust: 0.8

sources: JVNDB: JVNDB-2014-007954

EXTERNAL IDS

db:NVDid:CVE-2014-8617

Trust: 2.8

db:SECTRACKid:1031859

Trust: 1.1

db:BIDid:72820

Trust: 1.0

db:JVNDBid:JVNDB-2014-007954

Trust: 0.8

db:CNNVDid:CNNVD-201503-022

Trust: 0.7

db:VULHUBid:VHN-76562

Trust: 0.1

sources: VULHUB: VHN-76562 // BID: 72820 // JVNDB: JVNDB-2014-007954 // CNNVD: CNNVD-201503-022 // NVD: CVE-2014-8617

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-15-005/

Trust: 2.0

url:http://seclists.org/fulldisclosure/2015/mar/5

Trust: 1.7

url:http://www.securitytracker.com/id/1031859

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8617

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8617

Trust: 0.8

url:http://www.securityfocus.com/bid/72820

Trust: 0.6

url:http://www.fortinet.com/products/fortimail/

Trust: 0.3

sources: VULHUB: VHN-76562 // BID: 72820 // JVNDB: JVNDB-2014-007954 // CNNVD: CNNVD-201503-022 // NVD: CVE-2014-8617

CREDITS

William Costa

Trust: 0.9

sources: BID: 72820 // CNNVD: CNNVD-201503-022

SOURCES

db:VULHUBid:VHN-76562
db:BIDid:72820
db:JVNDBid:JVNDB-2014-007954
db:CNNVDid:CNNVD-201503-022
db:NVDid:CVE-2014-8617

LAST UPDATE DATE

2024-08-14T14:14:01.420000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-76562date:2015-11-19T00:00:00
db:BIDid:72820date:2015-03-19T07:34:00
db:JVNDBid:JVNDB-2014-007954date:2015-03-06T00:00:00
db:CNNVDid:CNNVD-201503-022date:2015-03-05T00:00:00
db:NVDid:CVE-2014-8617date:2015-11-19T17:43:09.690

SOURCES RELEASE DATE

db:VULHUBid:VHN-76562date:2015-03-04T00:00:00
db:BIDid:72820date:2015-02-25T00:00:00
db:JVNDBid:JVNDB-2014-007954date:2015-03-06T00:00:00
db:CNNVDid:CNNVD-201503-022date:2015-02-25T00:00:00
db:NVDid:CVE-2014-8617date:2015-03-04T19:59:00.047