Sign-up

ID

VAR-201709-1216


CVE

CVE-2017-7734


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007924

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via 'Comments' while saving Config Revisions. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2017-7734 // JVNDB: JVNDB-2017-007924 // BID: 99098 // VULHUB: VHN-115937

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.4

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.2.11

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.10

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4.5

Trust: 0.3

sources: BID: 99098 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7734
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7734
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201706-818
value: LOW

Trust: 0.6

VULHUB: VHN-115937
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-7734
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115937
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7734
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115937 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-115937 // JVNDB: JVNDB-2017-007924 // NVD: CVE-2017-7734

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-818

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-818

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007924

PATCH
title:FG-IR-17-127url:http://fortiguard.com/psirt/FG-IR-17-127
Trust: 0.8
title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71088
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-007924 // 
            
            
            
            CNNVD: CNNVD-201706-818

EXTERNAL IDS
db:NVDid:CVE-2017-7734
Trust: 2.8
db:BIDid:99098
Trust: 2.0
db:SECTRACKid:1038705
Trust: 1.1
db:JVNDBid:JVNDB-2017-007924
Trust: 0.8
db:CNNVDid:CNNVD-201706-818
Trust: 0.7
db:VULHUBid:VHN-115937
Trust: 0.1
sources:
            
            
            VULHUB: VHN-115937 // 
            
            
            
            BID: 99098 // 
            
            
            
            JVNDB: JVNDB-2017-007924 // 
            
            
            
            CNNVD: CNNVD-201706-818 // 
            
            
            
            NVD: CVE-2017-7734

REFERENCES
url:http://www.securityfocus.com/bid/99098
Trust: 1.7
url:https://fortiguard.com/advisory/fg-ir-17-127
Trust: 1.7
url:http://www.securitytracker.com/id/1038705
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7734
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7734
Trust: 0.8
url:http://www.fortinet.com/
Trust: 0.3
url:http://fortiguard.com/psirt/fg-ir-17-127
Trust: 0.3
sources:
            
            
            VULHUB: VHN-115937 // 
            
            
            
            BID: 99098 // 
            
            
            
            JVNDB: JVNDB-2017-007924 // 
            
            
            
            CNNVD: CNNVD-201706-818 // 
            
            
            
            NVD: CVE-2017-7734

CREDITS
Walmart's ISD Enterprise Security Testing (EST) Team
Trust: 0.9
sources:
            
            
            BID: 99098 // 
            
            
            
            CNNVD: CNNVD-201706-818

SOURCES
db:VULHUBid:VHN-115937
db:BIDid:99098
db:JVNDBid:JVNDB-2017-007924
db:CNNVDid:CNNVD-201706-818
db:NVDid:CVE-2017-7734

LAST UPDATE DATE
2024-08-14T14:27:03.412000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-115937date:2017-09-15T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007924date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-818date:2017-09-13T00:00:00
db:NVDid:CVE-2017-7734date:2017-09-15T12:49:14.667

SOURCES RELEASE DATE
db:VULHUBid:VHN-115937date:2017-09-12T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007924date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-818date:2017-06-20T00:00:00
db:NVDid:CVE-2017-7734date:2017-09-12T02:29:00.373