ID

VAR-201511-0090


CVE

CVE-2015-8038


TITLE

Fortinet FortiManager Graphical user interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-005705

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sharedjobmanager or (2) SOMServiceObjDialog. Fortinet FortiManager is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. FortiManager 5.2.3 and prior versions are vulnerable. [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: ================================ www.fortinet.com Product: ================================ FortiManager v5.2.2 FortiManager is a centralized security management appliance that allows you to centrally manage any number of Fortinet Network Security devices. 2 potential XSS vectors were identified: * XSS vulnerability in SOMVpnSSLPortalDialog. 2 potential XSS vectors were identified: * XSS vulnerability in sharedjobmanager. Affected Products XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier. Solutions: =========== No workarounds are currently available. Update to FortiManager v5.2.4. Exploit code(s): =============== 1- Persistent: https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50 <div class="ui-comments-div"><textarea id="_comp_15" name="_comp_15" class="ui-comments-text" cols="58" maxlength="255" maxnum="255" placeholder="Write a comment" rows="1"><script>alert(666)</script></textarea><label class="ui-comments-remaining"> 2- Reflected https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: ========================================================= Vendor Notification: August 4, 2015 September 24, 2015 : Public Disclosure Exploitation Technique: ======================= Remote & Local Severity Level: ========================================================= Medium (3) Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier Vulnerable Parameter(s): [+] vdom, textarea field Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

Trust: 2.07

sources: NVD: CVE-2015-8038 // JVNDB: JVNDB-2015-005705 // BID: 76850 // VULHUB: VHN-85999 // PACKETSTORM: 133706

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:lteversion:5.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.3

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:ltversion:5.2.4

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.8

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.5

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.2.4

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.7

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.11

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.9

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.10

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.4

Trust: 0.3

sources: BID: 76850 // JVNDB: JVNDB-2015-005705 // CNNVD: CNNVD-201510-764 // NVD: CVE-2015-8038

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8038
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-8038
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-764
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85999
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-8038
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85999
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85999 // JVNDB: JVNDB-2015-005705 // CNNVD: CNNVD-201510-764 // NVD: CVE-2015-8038

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-85999 // JVNDB: JVNDB-2015-005705 // NVD: CVE-2015-8038

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-764

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 133706 // CNNVD: CNNVD-201510-764

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005705

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85999

PATCH

title:Multiple XSS vulnerabilities in FortiManager GUIurl:http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui

Trust: 0.8

title:Fortinet FortiManager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58509

Trust: 0.6

sources: JVNDB: JVNDB-2015-005705 // CNNVD: CNNVD-201510-764

EXTERNAL IDS

db:NVDid:CVE-2015-8038

Trust: 2.6

db:BIDid:76850

Trust: 0.9

db:JVNDBid:JVNDB-2015-005705

Trust: 0.8

db:CNNVDid:CNNVD-201510-764

Trust: 0.7

db:EXPLOIT-DBid:38316

Trust: 0.1

db:VULHUBid:VHN-85999

Trust: 0.1

db:PACKETSTORMid:133706

Trust: 0.1

sources: VULHUB: VHN-85999 // BID: 76850 // JVNDB: JVNDB-2015-005705 // PACKETSTORM: 133706 // CNNVD: CNNVD-201510-764 // NVD: CVE-2015-8038

REFERENCES

url:http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui

Trust: 2.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8038

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8038

Trust: 0.8

url:http://www.securityfocus.com/bid/76850

Trust: 0.6

url:http://hyp3rlinx.altervista.org/advisories/as-fortimanager-xss-0924.txt

Trust: 0.4

url:http://www.fortinet.com/products/fortimanager/

Trust: 0.3

url:https://www.fortinet.com

Trust: 0.1

url:https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/policytable?vdom=%22%27/%3e%3c/script%3e%3cscript%3ealert%28%27[xss%20fortimanager%20poc%20vm64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3c/script%3e

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8037

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8038

Trust: 0.1

url:https://localhost/cgi-bin/module/sharedobjmanager/firewall/somserviceobjdialog?devgrpid=18446744073709551615&deviceid=18446744073709551615&vdom=&adomid=3&vdomid=0&adomtype=ems&cate=167&prodid=0&key=all&catetype=167&cate=167&permit_w=1&roid=189&startindex=0&results=50

Trust: 0.1

sources: VULHUB: VHN-85999 // BID: 76850 // JVNDB: JVNDB-2015-005705 // PACKETSTORM: 133706 // CNNVD: CNNVD-201510-764 // NVD: CVE-2015-8038

CREDITS

John Page

Trust: 0.9

sources: BID: 76850 // CNNVD: CNNVD-201510-764

SOURCES

db:VULHUBid:VHN-85999
db:BIDid:76850
db:JVNDBid:JVNDB-2015-005705
db:PACKETSTORMid:133706
db:CNNVDid:CNNVD-201510-764
db:NVDid:CVE-2015-8038

LAST UPDATE DATE

2024-08-14T14:52:18.085000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85999date:2015-11-03T00:00:00
db:BIDid:76850date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-005705date:2015-11-04T00:00:00
db:CNNVDid:CNNVD-201510-764date:2015-11-03T00:00:00
db:NVDid:CVE-2015-8038date:2015-11-03T23:12:19.050

SOURCES RELEASE DATE

db:VULHUBid:VHN-85999date:2015-11-02T00:00:00
db:BIDid:76850date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-005705date:2015-11-04T00:00:00
db:PACKETSTORMid:133706date:2015-09-25T07:00:13
db:CNNVDid:CNNVD-201510-764date:2015-09-24T00:00:00
db:NVDid:CVE-2015-8038date:2015-11-02T19:59:18.173