ID

VAR-201505-0126


CVE

CVE-2014-8616


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-008045

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.2.x before 5.2.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) user group or (2) vpn template menus. Fortinet FortiOS is prone to multiple cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2014-8616 // JVNDB: JVNDB-2014-008045 // BID: 72562 // VULHUB: VHN-76561

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:5.2.x

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.0.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.7.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.17

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.15

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.10

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.80

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.36

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.18

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.16

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.14

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.13

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.12

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.2.3

Trust: 0.3

sources: BID: 72562 // JVNDB: JVNDB-2014-008045 // CNNVD: CNNVD-201505-094 // NVD: CVE-2014-8616

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8616
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8616
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201505-094
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76561
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8616
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76561
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76561 // JVNDB: JVNDB-2014-008045 // CNNVD: CNNVD-201505-094 // NVD: CVE-2014-8616

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-76561 // JVNDB: JVNDB-2014-008045 // NVD: CVE-2014-8616

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-094

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201505-094

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-008045

PATCH

title:Multiple products cross-site scripting vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-15-005/

Trust: 0.8

sources: JVNDB: JVNDB-2014-008045

EXTERNAL IDS

db:NVDid:CVE-2014-8616

Trust: 2.8

db:SECTRACKid:1032262

Trust: 1.1

db:SECTRACKid:1032261

Trust: 1.1

db:SECTRACKid:1032264

Trust: 1.1

db:SECTRACKid:1032265

Trust: 1.1

db:JVNDBid:JVNDB-2014-008045

Trust: 0.8

db:CNNVDid:CNNVD-201505-094

Trust: 0.7

db:BIDid:72562

Trust: 0.4

db:VULHUBid:VHN-76561

Trust: 0.1

sources: VULHUB: VHN-76561 // BID: 72562 // JVNDB: JVNDB-2014-008045 // CNNVD: CNNVD-201505-094 // NVD: CVE-2014-8616

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-15-005/

Trust: 2.0

url:http://www.securitytracker.com/id/1032261

Trust: 1.1

url:http://www.securitytracker.com/id/1032262

Trust: 1.1

url:http://www.securitytracker.com/id/1032264

Trust: 1.1

url:http://www.securitytracker.com/id/1032265

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8616

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8616

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-76561 // BID: 72562 // JVNDB: JVNDB-2014-008045 // CNNVD: CNNVD-201505-094 // NVD: CVE-2014-8616

CREDITS

Jared Haight, William Costa and Benjamin Kunz Mejri

Trust: 0.3

sources: BID: 72562

SOURCES

db:VULHUBid:VHN-76561
db:BIDid:72562
db:JVNDBid:JVNDB-2014-008045
db:CNNVDid:CNNVD-201505-094
db:NVDid:CVE-2014-8616

LAST UPDATE DATE

2024-08-14T13:47:42.523000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-76561date:2017-01-03T00:00:00
db:BIDid:72562date:2015-02-25T00:00:00
db:JVNDBid:JVNDB-2014-008045date:2015-05-14T00:00:00
db:CNNVDid:CNNVD-201505-094date:2015-05-13T00:00:00
db:NVDid:CVE-2014-8616date:2017-01-03T02:59:20.347

SOURCES RELEASE DATE

db:VULHUBid:VHN-76561date:2015-05-12T00:00:00
db:BIDid:72562date:2015-02-25T00:00:00
db:JVNDBid:JVNDB-2014-008045date:2015-05-14T00:00:00
db:CNNVDid:CNNVD-201505-094date:2015-05-13T00:00:00
db:NVDid:CVE-2014-8616date:2015-05-12T19:59:00.097