ID

VAR-201705-3939


CVE

CVE-2017-7339


TITLE

Fortinet FortiPortal Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-004226

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the 'Name' and 'Description' inputs in the 'Add Revision Backup' functionality. Fortinet FortiPortal Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable. Fortinet FortiPortal is a product developed by Fortinet to help Managed Security Service Provider (MSSP) operate cloud-based security management and log retention services

Trust: 1.98

sources: NVD: CVE-2017-7339 // JVNDB: JVNDB-2017-004226 // BID: 98484 // VULHUB: VHN-115542

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiportalscope:lteversion:4.0.0

Trust: 1.8

vendor:fortinetmodel:fortiportalscope:eqversion:4.0.0

Trust: 0.6

vendor:fortinetmodel:fortiportalscope:eqversion:4.0

Trust: 0.3

vendor:fortinetmodel:fortiportalscope:neversion:4.0.1

Trust: 0.3

sources: BID: 98484 // JVNDB: JVNDB-2017-004226 // CNNVD: CNNVD-201703-1375 // NVD: CVE-2017-7339

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7339
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7339
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-1375
value: MEDIUM

Trust: 0.6

VULHUB: VHN-115542
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-7339
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115542
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7339
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115542 // JVNDB: JVNDB-2017-004226 // CNNVD: CNNVD-201703-1375 // NVD: CVE-2017-7339

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-115542 // JVNDB: JVNDB-2017-004226 // NVD: CVE-2017-7339

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1375

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-1375

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004226

PATCH

title:FortiPortal Multiple Vulnerabilitiesurl:https://fortiguard.com/psirt/FG-IR-17-114

Trust: 0.8

sources: JVNDB: JVNDB-2017-004226

EXTERNAL IDS

db:NVDid:CVE-2017-7339

Trust: 2.8

db:JVNDBid:JVNDB-2017-004226

Trust: 0.8

db:CNNVDid:CNNVD-201703-1375

Trust: 0.7

db:BIDid:98484

Trust: 0.3

db:VULHUBid:VHN-115542

Trust: 0.1

sources: VULHUB: VHN-115542 // BID: 98484 // JVNDB: JVNDB-2017-004226 // CNNVD: CNNVD-201703-1375 // NVD: CVE-2017-7339

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-17-114

Trust: 2.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7339

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-7339

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-115542 // BID: 98484 // JVNDB: JVNDB-2017-004226 // CNNVD: CNNVD-201703-1375 // NVD: CVE-2017-7339

CREDITS

David Tredger, Senior Security Consultant, Aura Information Security

Trust: 0.3

sources: BID: 98484

SOURCES

db:VULHUBid:VHN-115542
db:BIDid:98484
db:JVNDBid:JVNDB-2017-004226
db:CNNVDid:CNNVD-201703-1375
db:NVDid:CVE-2017-7339

LAST UPDATE DATE

2024-08-14T13:45:13.029000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-115542date:2017-05-31T00:00:00
db:BIDid:98484date:2017-05-15T00:00:00
db:JVNDBid:JVNDB-2017-004226date:2017-06-20T00:00:00
db:CNNVDid:CNNVD-201703-1375date:2017-05-27T00:00:00
db:NVDid:CVE-2017-7339date:2017-05-31T13:54:35.160

SOURCES RELEASE DATE

db:VULHUBid:VHN-115542date:2017-05-27T00:00:00
db:BIDid:98484date:2017-05-15T00:00:00
db:JVNDBid:JVNDB-2017-004226date:2017-06-20T00:00:00
db:CNNVDid:CNNVD-201703-1375date:2017-03-31T00:00:00
db:NVDid:CVE-2017-7339date:2017-05-27T00:29:01.190