Details of VAR-201704-0569

ID

VAR-201704-0569

CVE

CVE-2017-3125

TITLE

FortiMail Unspecified cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003125

DESCRIPTION

An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker. Fortinet FortiMail is prone to a unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiMail 5.0.0 through 5.2.9 and 5.3.0 through 5.3.8 are vulnerable. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions

Trust: 1.98

sources: NVD: CVE-2017-3125 // JVNDB: JVNDB-2017-003125 // BID: 97474 // VULHUB: VHN-111328

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.8	Trust: 1.9
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.2	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.6	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.3	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.7	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.5	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.2	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.1	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.1	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2	Trust: 1.6
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.9	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.2	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.5	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.3	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.5	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.3	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.8	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.7	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.6	Trust: 1.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.9	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.6	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.10	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.6	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.8	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.7	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.4	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.4	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.2.5	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.0 to 5.2.9	Trust: 0.8
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.3.0 to 5.3.8	Trust: 0.8
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.4	Trust: 0.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.1.1	Trust: 0.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.2	Trust: 0.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	fortinet	model:	fortimail	scope:	eq	version:	5.0.0	Trust: 0.3
vendor:	fortinet	model:	fortimail	scope:	ne	version:	5.3.9	Trust: 0.3

sources: BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3125
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-3125
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201704-321
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-111328
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3125
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-111328
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3125
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // NVD: CVE-2017-3125

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003125

PATCH

title:	FG-IR-17-011	url:	http://fortiguard.com/psirt/FG-IR-17-011	Trust: 0.8
title:	Fortinet FortiMail Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69104	Trust: 0.6

sources: JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3125	Trust: 2.8
db:	BID	id:	97474	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-003125	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-321	Trust: 0.7
db:	VULHUB	id:	VHN-111328	Trust: 0.1

sources: VULHUB: VHN-111328 // BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

REFERENCES

url:	http://fortiguard.com/psirt/fg-ir-17-011	Trust: 2.0
url:	http://www.securityfocus.com/bid/97474	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3125	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3125	Trust: 0.8
url:	http://www.fortinet.com/products/fortimail/	Trust: 0.3

sources: VULHUB: VHN-111328 // BID: 97474 // JVNDB: JVNDB-2017-003125 // CNNVD: CNNVD-201704-321 // NVD: CVE-2017-3125

CREDITS

Ebrahim Hegazy

Trust: 0.9

sources: BID: 97474 // CNNVD: CNNVD-201704-321

SOURCES

db:	VULHUB	id:	VHN-111328
db:	BID	id:	97474
db:	JVNDB	id:	JVNDB-2017-003125
db:	CNNVD	id:	CNNVD-201704-321
db:	NVD	id:	CVE-2017-3125

LAST UPDATE DATE

2024-08-14T15:03:06.769000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-111328	date:	2017-04-18T00:00:00
db:	BID	id:	97474	date:	2017-04-11T00:03:00
db:	JVNDB	id:	JVNDB-2017-003125	date:	2017-05-16T00:00:00
db:	CNNVD	id:	CNNVD-201704-321	date:	2017-04-17T00:00:00
db:	NVD	id:	CVE-2017-3125	date:	2017-04-18T20:47:14.543

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-111328	date:	2017-04-12T00:00:00
db:	BID	id:	97474	date:	2017-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2017-003125	date:	2017-05-16T00:00:00
db:	CNNVD	id:	CNNVD-201704-321	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2017-3125	date:	2017-04-12T15:59:00.160