Sign-up

ID

VAR-201605-0279


CVE

CVE-2015-7360


TITLE

Fortinet FortiSandbox Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-05053 // CNNVD: CNNVD-201507-783

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface (WebUI) in Fortinet FortiSandbox before 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) serial parameter to alerts/summary/profile/; the (2) urlForCreatingReport parameter to csearch/report/export/; the (3) id parameter to analysis/detail/download/screenshot; or vectors related to (4) "Fortiview threats by users search filtered by vdom" or (5) "PCAP file download generated by the VM scan feature.". Fortinet FortiSandbox of Web User interface (WebUI) Contains a cross-site scripting vulnerability.By any third party, via Web Script or HTML May be inserted. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from Fortinet. The device provides dual sandbox technology, dynamic threat intelligence, real-time control panels and reporting. A cross-site scripting vulnerability exists in Fortinet FortiSandbox 2.0.3 and earlier that caused the program to not adequately filter user-submitted input. When a user browses an affected website, their browser will execute any script code provided by the attacker. This can lead to an attacker stealing cookie-based authentication and initiating other attacks. FortiSandbox 2.0.3 and prior versions are vulnerable

Trust: 2.52

sources: NVD: CVE-2015-7360 // JVNDB: JVNDB-2015-007188 // CNVD: CNVD-2015-05053 // BID: 76045 // VULHUB: VHN-85321

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-05053

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:lteversion:2.0.4

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:ltversion:2.1

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:lteversion:<=2.0.3

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2015-05053 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7360
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7360
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-05053
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201507-783
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85321
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7360
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-05053
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-85321
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7360
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2015-05053 // VULHUB: VHN-85321 // JVNDB: JVNDB-2015-007188 // CNNVD: CNNVD-201507-783 // NVD: CVE-2015-7360

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-85321 // JVNDB: JVNDB-2015-007188 // NVD: CVE-2015-7360

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-783

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201507-783

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007188

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-85321

PATCH
title:Multiple XSS vulnerabilities in FortiSandbox WebUIurl:http://fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui
Trust: 0.8
title:Fortinet FortiSandbox Cross-Site Scripting Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/61764
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-05053 // 
            
            
            
            JVNDB: JVNDB-2015-007188

EXTERNAL IDS
db:NVDid:CVE-2015-7360
Trust: 2.8
db:PACKETSTORMid:132930
Trust: 1.7
db:BIDid:76045
Trust: 1.6
db:JVNDBid:JVNDB-2015-007188
Trust: 0.8
db:CNNVDid:CNNVD-201507-783
Trust: 0.7
db:CNVDid:CNVD-2015-05053
Trust: 0.6
db:VULHUBid:VHN-85321
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-05053 // 
            
            
            
            VULHUB: VHN-85321 // 
            
            
            
            BID: 76045 // 
            
            
            
            JVNDB: JVNDB-2015-007188 // 
            
            
            
            CNNVD: CNNVD-201507-783 // 
            
            
            
            NVD: CVE-2015-7360

REFERENCES
url:http://fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui
Trust: 1.7
url:http://hyp3rlinx.altervista.org/advisories/as-fortisandbox-0801.txt
Trust: 1.7
url:http://packetstormsecurity.com/files/132930/fortisandbox-3000d-2.02-build0042-cross-site-scripting.html
Trust: 1.7
url:http://www.securityfocus.com/bid/76045
Trust: 1.2
url:http://www.securityfocus.com/archive/1/536124/100/0/threaded
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7360
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7360
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/536124/100/0/threaded
Trust: 0.6
url:http://www.fortinet.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-05053 // 
            
            
            
            VULHUB: VHN-85321 // 
            
            
            
            BID: 76045 // 
            
            
            
            JVNDB: JVNDB-2015-007188 // 
            
            
            
            CNNVD: CNNVD-201507-783 // 
            
            
            
            NVD: CVE-2015-7360

CREDITS
John Page
Trust: 0.9
sources:
            
            
            BID: 76045 // 
            
            
            
            CNNVD: CNNVD-201507-783

SOURCES
db:CNVDid:CNVD-2015-05053
db:VULHUBid:VHN-85321
db:BIDid:76045
db:JVNDBid:JVNDB-2015-007188
db:CNNVDid:CNNVD-201507-783
db:NVDid:CVE-2015-7360

LAST UPDATE DATE
2024-08-14T15:34:49.991000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-05053date:2015-07-31T00:00:00
db:VULHUBid:VHN-85321date:2018-10-09T00:00:00
db:BIDid:76045date:2016-07-06T14:51:00
db:JVNDBid:JVNDB-2015-007188date:2016-05-30T00:00:00
db:CNNVDid:CNNVD-201507-783date:2016-05-27T00:00:00
db:NVDid:CVE-2015-7360date:2018-10-09T19:58:02.643

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-05053date:2015-07-31T00:00:00
db:VULHUBid:VHN-85321date:2016-05-26T00:00:00
db:BIDid:76045date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-007188date:2016-05-30T00:00:00
db:CNNVDid:CNNVD-201507-783date:2015-07-29T00:00:00
db:NVDid:CVE-2015-7360date:2016-05-26T15:59:00.133