Sign-up

ID

VAR-201709-1217


CVE

CVE-2017-7735


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007925

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.2.0 through 5.2.11 and 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via the "Groups" input while creating or editing User Groups. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2017-7735 // JVNDB: JVNDB-2017-007925 // BID: 99098 // VULHUB: VHN-115938

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.4

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.2.11

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.8

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.6

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.5

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.9

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.10

Trust: 1.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0 to 5.2.11

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.4

Trust: 0.8

vendor:fortinetmodel:fortiosscope:neversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4.5

Trust: 0.3

sources: BID: 99098 // JVNDB: JVNDB-2017-007925 // CNNVD: CNNVD-201706-819 // NVD: CVE-2017-7735

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7735
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7735
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201706-819
value: LOW

Trust: 0.6

VULHUB: VHN-115938
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-7735
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115938
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7735
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115938 // JVNDB: JVNDB-2017-007925 // CNNVD: CNNVD-201706-819 // NVD: CVE-2017-7735

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-115938 // JVNDB: JVNDB-2017-007925 // NVD: CVE-2017-7735

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-819

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-819

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007925

PATCH
title:FG-IR-17-127url:http://fortiguard.com/psirt/FG-IR-17-127
Trust: 0.8
title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71089
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-007925 // 
            
            
            
            CNNVD: CNNVD-201706-819

EXTERNAL IDS
db:NVDid:CVE-2017-7735
Trust: 2.8
db:BIDid:99098
Trust: 2.0
db:SECTRACKid:1038705
Trust: 1.1
db:JVNDBid:JVNDB-2017-007925
Trust: 0.8
db:CNNVDid:CNNVD-201706-819
Trust: 0.7
db:VULHUBid:VHN-115938
Trust: 0.1
sources:
            
            
            VULHUB: VHN-115938 // 
            
            
            
            BID: 99098 // 
            
            
            
            JVNDB: JVNDB-2017-007925 // 
            
            
            
            CNNVD: CNNVD-201706-819 // 
            
            
            
            NVD: CVE-2017-7735

REFERENCES
url:http://www.securityfocus.com/bid/99098
Trust: 1.7
url:https://fortiguard.com/advisory/fg-ir-17-127
Trust: 1.7
url:http://www.securitytracker.com/id/1038705
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7735
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7735
Trust: 0.8
url:http://www.fortinet.com/
Trust: 0.3
url:http://fortiguard.com/psirt/fg-ir-17-127
Trust: 0.3
sources:
            
            
            VULHUB: VHN-115938 // 
            
            
            
            BID: 99098 // 
            
            
            
            JVNDB: JVNDB-2017-007925 // 
            
            
            
            CNNVD: CNNVD-201706-819 // 
            
            
            
            NVD: CVE-2017-7735

CREDITS
Walmart's ISD Enterprise Security Testing (EST) Team
Trust: 0.9
sources:
            
            
            BID: 99098 // 
            
            
            
            CNNVD: CNNVD-201706-819

SOURCES
db:VULHUBid:VHN-115938
db:BIDid:99098
db:JVNDBid:JVNDB-2017-007925
db:CNNVDid:CNNVD-201706-819
db:NVDid:CVE-2017-7735

LAST UPDATE DATE
2024-08-14T14:27:03.444000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-115938date:2017-09-15T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007925date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-819date:2017-09-13T00:00:00
db:NVDid:CVE-2017-7735date:2017-09-15T12:50:15.230

SOURCES RELEASE DATE
db:VULHUBid:VHN-115938date:2017-09-12T00:00:00
db:BIDid:99098date:2017-06-15T00:00:00
db:JVNDBid:JVNDB-2017-007925date:2017-10-04T00:00:00
db:CNNVDid:CNNVD-201706-819date:2017-06-20T00:00:00
db:NVDid:CVE-2017-7735date:2017-09-12T02:29:00.420