ID

VAR-201605-0279


CVE

CVE-2015-7360


TITLE

Fortinet FortiSandbox Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-05053 // CNNVD: CNNVD-201507-783

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface (WebUI) in Fortinet FortiSandbox before 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) serial parameter to alerts/summary/profile/; the (2) urlForCreatingReport parameter to csearch/report/export/; the (3) id parameter to analysis/detail/download/screenshot; or vectors related to (4) "Fortiview threats by users search filtered by vdom" or (5) "PCAP file download generated by the VM scan feature.". Fortinet FortiSandbox of Web User interface (WebUI) Contains a cross-site scripting vulnerability.By any third party, via Web Script or HTML May be inserted. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from Fortinet. The device provides dual sandbox technology, dynamic threat intelligence, real-time control panels and reporting. A cross-site scripting vulnerability exists in Fortinet FortiSandbox 2.0.3 and earlier that caused the program to not adequately filter user-submitted input. When a user browses an affected website, their browser will execute any script code provided by the attacker. This can lead to an attacker stealing cookie-based authentication and initiating other attacks. FortiSandbox 2.0.3 and prior versions are vulnerable

Trust: 2.52

sources: NVD: CVE-2015-7360 // JVNDB: JVNDB-2015-007188 // CNVD: CNVD-2015-05053 // BID: 76045 // VULHUB: VHN-85321

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-05053

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:lteversion:2.0.4

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:ltversion:2.1

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:lteversion:<=2.0.3

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2015-05053 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7360
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7360
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-05053
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201507-783
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85321
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7360
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-05053
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-85321
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7360
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2015-05053 // VULHUB: VHN-85321 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-85321 // JVNDB: JVNDB-2015-007188 // NVD: CVE-2015-7360

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-783

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201507-783

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007188

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85321

PATCH

title:Multiple XSS vulnerabilities in FortiSandbox WebUIurl:http://fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui

Trust: 0.8

title:Fortinet FortiSandbox Cross-Site Scripting Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/61764

Trust: 0.6

sources: CNVD: CNVD-2015-05053 // JVNDB: JVNDB-2015-007188

EXTERNAL IDS

db:NVDid:CVE-2015-7360

Trust: 2.8

db:PACKETSTORMid:132930

Trust: 1.7

db:BIDid:76045

Trust: 1.6

db:JVNDBid:JVNDB-2015-007188

Trust: 0.8

db:CNNVDid:CNNVD-201507-783

Trust: 0.7

db:CNVDid:CNVD-2015-05053

Trust: 0.6

db:VULHUBid:VHN-85321

Trust: 0.1

sources: CNVD: CNVD-2015-05053 // VULHUB: VHN-85321 // BID: 76045 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

REFERENCES

url:http://fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui

Trust: 1.7

url:http://hyp3rlinx.altervista.org/advisories/as-fortisandbox-0801.txt

Trust: 1.7

url:http://packetstormsecurity.com/files/132930/fortisandbox-3000d-2.02-build0042-cross-site-scripting.html

Trust: 1.7

url:http://www.securityfocus.com/bid/76045

Trust: 1.2

url:http://www.securityfocus.com/archive/1/536124/100/0/threaded

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7360

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7360

Trust: 0.8

url:http://www.securityfocus.com/archive/1/archive/1/536124/100/0/threaded

Trust: 0.6

url:http://www.fortinet.com/

Trust: 0.3

sources: CNVD: CNVD-2015-05053 // VULHUB: VHN-85321 // BID: 76045 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

CREDITS

John Page

Trust: 0.9

sources: BID: 76045 // CNNVD: CNNVD-201507-783

SOURCES

db:CNVDid:CNVD-2015-05053
db:VULHUBid:VHN-85321
db:BIDid:76045
db:JVNDBid:JVNDB-2015-007188
db:CNNVDid:CNNVD-201507-783
db:NVDid:CVE-2015-7360

LAST UPDATE DATE

2024-11-23T22:22:45.380000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2015-05053date:2015-07-31T00:00:00
db:VULHUBid:VHN-85321date:2018-10-09T00:00:00
db:BIDid:76045date:2016-07-06T14:51:00
db:JVNDBid:JVNDB-2015-007188date:2016-05-30T00:00:00
db:CNNVDid:CNNVD-201507-783date:2016-05-27T00:00:00
db:NVDid:CVE-2015-7360date:2024-11-21T02:36:38.890

SOURCES RELEASE DATE

db:CNVDid:CNVD-2015-05053date:2015-07-31T00:00:00
db:VULHUBid:VHN-85321date:2016-05-26T00:00:00
db:BIDid:76045date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-007188date:2016-05-30T00:00:00
db:CNNVDid:CNNVD-201507-783date:2015-07-29T00:00:00
db:NVDid:CVE-2015-7360date:2016-05-26T15:59:00.133