ID

VAR-201505-0128


CVE

CVE-2014-8619


TITLE

Fortinet FortiWeb Cross-site scripting vulnerability in the automatic learning settings page

Trust: 0.8

sources: JVNDB: JVNDB-2014-008043

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the autolearn configuration page in Fortinet FortiWeb 5.1.2 through 5.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Fortinet FortiWeb is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

Trust: 2.07

sources: NVD: CVE-2014-8619 // JVNDB: JVNDB-2014-008043 // BID: 74679 // VULHUB: VHN-76564 // VULMON: CVE-2014-8619

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.1

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.4

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.3

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.2

Trust: 1.9

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.1

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.0

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.2

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.3

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.4

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.2.0

Trust: 1.6

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.4

Trust: 1.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.3

Trust: 1.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.3.2

Trust: 1.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1.2 to 5.3.4

Trust: 0.8

vendor:fortinetmodel:fortiwebscope:neversion:5.3.5

Trust: 0.3

sources: BID: 74679 // JVNDB: JVNDB-2014-008043 // CNNVD: CNNVD-201505-096 // NVD: CVE-2014-8619

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8619
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8619
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201505-096
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76564
value: MEDIUM

Trust: 0.1

VULMON: CVE-2014-8619
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8619
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-76564
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76564 // VULMON: CVE-2014-8619 // JVNDB: JVNDB-2014-008043 // CNNVD: CNNVD-201505-096 // NVD: CVE-2014-8619

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-76564 // JVNDB: JVNDB-2014-008043 // NVD: CVE-2014-8619

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-096

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201505-096

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-008043

PATCH

title:Multiple products cross-site scripting vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-15-005/

Trust: 0.8

sources: JVNDB: JVNDB-2014-008043

EXTERNAL IDS

db:NVDid:CVE-2014-8619

Trust: 2.9

db:SECTRACKid:1032307

Trust: 1.2

db:JVNDBid:JVNDB-2014-008043

Trust: 0.8

db:CNNVDid:CNNVD-201505-096

Trust: 0.7

db:BIDid:74679

Trust: 0.4

db:VULHUBid:VHN-76564

Trust: 0.1

db:VULMONid:CVE-2014-8619

Trust: 0.1

sources: VULHUB: VHN-76564 // VULMON: CVE-2014-8619 // BID: 74679 // JVNDB: JVNDB-2014-008043 // CNNVD: CNNVD-201505-096 // NVD: CVE-2014-8619

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-15-005/

Trust: 2.1

url:http://www.securitytracker.com/id/1032307

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8619

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8619

Trust: 0.8

url:https://www.fortinet.com/products/fortigate/fortios.html

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-76564 // VULMON: CVE-2014-8619 // BID: 74679 // JVNDB: JVNDB-2014-008043 // CNNVD: CNNVD-201505-096 // NVD: CVE-2014-8619

CREDITS

Jared Haight, William Costa, and Benjamin Kunz Mejri (Vulnerability Laboratory, Evolution Security GmbH).

Trust: 0.3

sources: BID: 74679

SOURCES

db:VULHUBid:VHN-76564
db:VULMONid:CVE-2014-8619
db:BIDid:74679
db:JVNDBid:JVNDB-2014-008043
db:CNNVDid:CNNVD-201505-096
db:NVDid:CVE-2014-8619

LAST UPDATE DATE

2024-08-14T15:19:01.497000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-76564date:2017-01-03T00:00:00
db:VULMONid:CVE-2014-8619date:2017-01-03T00:00:00
db:BIDid:74679date:2015-02-25T00:00:00
db:JVNDBid:JVNDB-2014-008043date:2015-05-14T00:00:00
db:CNNVDid:CNNVD-201505-096date:2015-05-13T00:00:00
db:NVDid:CVE-2014-8619date:2017-01-03T02:59:20.457

SOURCES RELEASE DATE

db:VULHUBid:VHN-76564date:2015-05-12T00:00:00
db:VULMONid:CVE-2014-8619date:2015-05-12T00:00:00
db:BIDid:74679date:2015-02-25T00:00:00
db:JVNDBid:JVNDB-2014-008043date:2015-05-14T00:00:00
db:CNNVDid:CNNVD-201505-096date:2015-05-13T00:00:00
db:NVDid:CVE-2014-8619date:2015-05-12T19:59:02.643