ID

VAR-201709-1216


CVE

CVE-2017-7734


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007924

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via 'Comments' while saving Config Revisions. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2017-7734 // JVNDB: JVNDB-2017-007924 // BID: 99098 // VULHUB: VHN-115937

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.4

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.2.11

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.10

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4.5

Trust: 0.3

sources: BID: 99098 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7734
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7734
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201706-818
value: LOW

Trust: 0.6

VULHUB: VHN-115937
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-7734
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115937
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7734
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115937 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-115937 // JVNDB: JVNDB-2017-007924 // NVD: CVE-2017-7734

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-818

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-818

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007924

PATCH

title:FG-IR-17-127url:http://fortiguard.com/psirt/FG-IR-17-127

Trust: 0.8

title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71088

Trust: 0.6

sources: JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818

EXTERNAL IDS

db:NVDid:CVE-2017-7734

Trust: 2.8

db:BIDid:99098

Trust: 2.0

db:SECTRACKid:1038705

Trust: 1.1

db:JVNDBid:JVNDB-2017-007924

Trust: 0.8

db:CNNVDid:CNNVD-201706-818

Trust: 0.7

db:VULHUBid:VHN-115937

Trust: 0.1

sources: VULHUB: VHN-115937 // BID: 99098 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

REFERENCES

url:http://www.securityfocus.com/bid/99098

Trust: 1.7

url:https://fortiguard.com/advisory/fg-ir-17-127

Trust: 1.7

url:http://www.securitytracker.com/id/1038705

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7734

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-7734

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

url:http://fortiguard.com/psirt/fg-ir-17-127

Trust: 0.3

sources: VULHUB: VHN-115937 // BID: 99098 // JVNDB: JVNDB-2017-007924 // CNNVD: CNNVD-201706-818 // NVD: CVE-2017-7734

CREDITS

Walmart's ISD Enterprise Security Testing (EST) Team

Trust: 0.9

sources: BID: 99098 // CNNVD: CNNVD-201706-818

SOURCES

db:VULHUBid:VHN-115937
db:BIDid:99098
db:JVNDBid:JVNDB-2017-007924
db:CNNVDid:CNNVD-201706-818
db:NVDid:CVE-2017-7734

LAST UPDATE DATE

2024-08-14T14:27:03.412000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-115937date:2017-09-15T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007924date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-818date:2017-09-13T00:00:00
db:NVDid:CVE-2017-7734date:2017-09-15T12:49:14.667

SOURCES RELEASE DATE

db:VULHUBid:VHN-115937date:2017-09-12T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007924date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-818date:2017-06-20T00:00:00
db:NVDid:CVE-2017-7734date:2017-09-12T02:29:00.373