ID

VAR-201704-0569


CVE

CVE-2017-3125


TITLE

FortiMail Unspecified cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003125

DESCRIPTION

An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker. Fortinet FortiMail is prone to a unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiMail 5.0.0 through 5.2.9 and 5.3.0 through 5.3.8 are vulnerable. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions

Trust: 1.98

sources: NVD: CVE-2017-3125 // JVNDB: JVNDB-2017-003125 // BID: 97474 // VULHUB: VHN-111328

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimailscope:eqversion:5.3.8

Trust: 1.9

vendor:fortinetmodel:fortimailscope:eqversion:5.3.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.6

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.3

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.7

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.5

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.2.9

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.2

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.5

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.2.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.5

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.8

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.7

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.6

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.9

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.1

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.1.6

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.10

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.6

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.8

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.7

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.4

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.3.4

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.5

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.0 to 5.2.9

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.3.0 to 5.3.8

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.1.4

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.1

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortimailscope:neversion:5.3.9

Trust: 0.3

sources: BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3125
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3125
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201704-321
value: MEDIUM

Trust: 0.6

VULHUB: VHN-111328
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3125
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-111328
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3125
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // NVD: CVE-2017-3125

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003125

PATCH

title:FG-IR-17-011url:http://fortiguard.com/psirt/FG-IR-17-011

Trust: 0.8

title:Fortinet FortiMail Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69104

Trust: 0.6

sources: JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321

EXTERNAL IDS

db:NVDid:CVE-2017-3125

Trust: 2.8

db:BIDid:97474

Trust: 2.0

db:JVNDBid:JVNDB-2017-003125

Trust: 0.8

db:CNNVDid:CNNVD-201704-321

Trust: 0.7

db:VULHUBid:VHN-111328

Trust: 0.1

sources: VULHUB: VHN-111328 // BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

REFERENCES

url:http://fortiguard.com/psirt/fg-ir-17-011

Trust: 2.0

url:http://www.securityfocus.com/bid/97474

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3125

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-3125

Trust: 0.8

url:http://www.fortinet.com/products/fortimail/

Trust: 0.3

sources: VULHUB: VHN-111328 // BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

CREDITS

Ebrahim Hegazy

Trust: 0.9

sources: BID: 97474 // CNNVD: CNNVD-201704-321

SOURCES

db:VULHUBid:VHN-111328
db:BIDid:97474
db:JVNDBid:JVNDB-2017-003125
db:CNNVDid:CNNVD-201704-321
db:NVDid:CVE-2017-3125

LAST UPDATE DATE

2024-08-14T15:03:06.769000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-111328date:2017-04-18T00:00:00
db:BIDid:97474date:2017-04-11T00:03:00
db:JVNDBid:JVNDB-2017-003125date:2017-05-16T00:00:00
db:CNNVDid:CNNVD-201704-321date:2017-04-17T00:00:00
db:NVDid:CVE-2017-3125date:2017-04-18T20:47:14.543

SOURCES RELEASE DATE

db:VULHUBid:VHN-111328date:2017-04-12T00:00:00
db:BIDid:97474date:2017-04-04T00:00:00
db:JVNDBid:JVNDB-2017-003125date:2017-05-16T00:00:00
db:CNNVDid:CNNVD-201704-321date:2017-04-07T00:00:00
db:NVDid:CVE-2017-3125date:2017-04-12T15:59:00.160