Sign-up

ID

VAR-201708-0340


CVE

CVE-2015-3615


TITLE

FortiManager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-007716

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving unspecified parameters and a privilege escalation attack. FortiManager Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiManager is prone to following security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. An HTML-injection vulnerability 3. An SQL-injection vulnerability 4. A local privilege-escalation vulnerability 5. An arbitrary file-download vulnerability Exploiting these issues could allow an attacker to execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, gain elevated privileges, or download arbitrary files from the web server and obtain potentially sensitive information. This may aid in other attacks. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management

Trust: 1.98

sources: NVD: CVE-2015-3615 // JVNDB: JVNDB-2015-007716 // BID: 74444 // VULHUB: VHN-81576

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.1

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.10

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.9

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.8

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.7

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.5

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.4

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.3

Trust: 1.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.0

Trust: 1.6

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.2

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.11

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:ltversion:5.2.x

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:ltversion:5.0.x

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.0.11

Trust: 0.3

sources: BID: 74444 // JVNDB: JVNDB-2015-007716 // CNNVD: CNNVD-201708-580 // NVD: CVE-2015-3615

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3615
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-3615
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201708-580
value: LOW

Trust: 0.6

VULHUB: VHN-81576
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2015-3615
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-81576
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-3615
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-81576 // JVNDB: JVNDB-2015-007716 // CNNVD: CNNVD-201708-580 // NVD: CVE-2015-3615

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-81576 // JVNDB: JVNDB-2015-007716 // NVD: CVE-2015-3615

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-580

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201708-580

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007716

PATCH
title:FG-IR-15-011url:https://fortiguard.com/psirt/FG-IR-15-011
Trust: 0.8
title:Fortinet FortiManager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=73992
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-007716 // 
            
            
            
            CNNVD: CNNVD-201708-580

EXTERNAL IDS
db:NVDid:CVE-2015-3615
Trust: 2.8
db:SECTRACKid:1032188
Trust: 1.7
db:BIDid:74444
Trust: 1.4
db:JVNDBid:JVNDB-2015-007716
Trust: 0.8
db:CNNVDid:CNNVD-201708-580
Trust: 0.7
db:NSFOCUSid:37413
Trust: 0.6
db:VULHUBid:VHN-81576
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81576 // 
            
            
            
            BID: 74444 // 
            
            
            
            JVNDB: JVNDB-2015-007716 // 
            
            
            
            CNNVD: CNNVD-201708-580 // 
            
            
            
            NVD: CVE-2015-3615

REFERENCES
url:https://fortiguard.com/psirt/fg-ir-15-011
Trust: 2.0
url:http://www.securitytracker.com/id/1032188
Trust: 1.7
url:http://www.securityfocus.com/bid/74444
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3615
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-3615
Trust: 0.8
url:http://www.nsfocus.net/vulndb/37413
Trust: 0.6
url:http://www.fortinet.com/products/fortimanager/
Trust: 0.3
url:http://www.fortiguard.com/advisory/fg-ir-15-011/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-81576 // 
            
            
            
            BID: 74444 // 
            
            
            
            JVNDB: JVNDB-2015-007716 // 
            
            
            
            CNNVD: CNNVD-201708-580 // 
            
            
            
            NVD: CVE-2015-3615

CREDITS
Maksymilian Motyl and the ITN Security Team at Orange Polska
Trust: 0.3
sources:
            
            
            BID: 74444

SOURCES
db:VULHUBid:VHN-81576
db:BIDid:74444
db:JVNDBid:JVNDB-2015-007716
db:CNNVDid:CNNVD-201708-580
db:NVDid:CVE-2015-3615

LAST UPDATE DATE
2024-08-14T14:11:58.415000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-81576date:2017-08-26T00:00:00
db:BIDid:74444date:2017-08-25T07:11:00
db:JVNDBid:JVNDB-2015-007716date:2017-09-08T00:00:00
db:CNNVDid:CNNVD-201708-580date:2017-08-14T00:00:00
db:NVDid:CVE-2015-3615date:2017-08-26T01:29:00.333

SOURCES RELEASE DATE
db:VULHUBid:VHN-81576date:2017-08-11T00:00:00
db:BIDid:74444date:2015-04-16T00:00:00
db:JVNDBid:JVNDB-2015-007716date:2017-09-08T00:00:00
db:CNNVDid:CNNVD-201708-580date:2017-08-14T00:00:00
db:NVDid:CVE-2015-3615date:2017-08-11T21:29:00.370