Sign-up

ID

VAR-201801-0107


CVE

CVE-2017-14190


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-012254

DESCRIPTION

A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. The following products are affected: FortiOS 5.6.0 through 5.6.2 FortiOS 5.4.0 through 5.4.7 FortiOS 5.2 and prior. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2017-14190 // JVNDB: JVNDB-2017-012254 // BID: 102779 // VULHUB: VHN-104888

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:lteversion:5.6.2

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.4.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 0.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 0.9

vendor:fortinetmodel:fortiosscope:lteversion:5.2

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.7

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.6.0 to 5.6.2

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:5.6.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.6.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4

Trust: 0.3

sources: BID: 102779 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14190
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14190
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201801-967
value: MEDIUM

Trust: 0.6

VULHUB: VHN-104888
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14190
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-104888
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14190
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-104888 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-104888 // JVNDB: JVNDB-2017-012254 // NVD: CVE-2017-14190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-967

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201801-967

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012254

PATCH
title:FG-IR-17-262url:https://fortiguard.com/psirt/FG-IR-17-262
Trust: 0.8
title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78091
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-012254 // 
            
            
            
            CNNVD: CNNVD-201801-967

EXTERNAL IDS
db:NVDid:CVE-2017-14190
Trust: 2.8
db:BIDid:102779
Trust: 2.0
db:SECTRACKid:1040284
Trust: 1.1
db:JVNDBid:JVNDB-2017-012254
Trust: 0.8
db:NSFOCUSid:38905
Trust: 0.6
db:CNNVDid:CNNVD-201801-967
Trust: 0.6
db:VULHUBid:VHN-104888
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104888 // 
            
            
            
            BID: 102779 // 
            
            
            
            JVNDB: JVNDB-2017-012254 // 
            
            
            
            CNNVD: CNNVD-201801-967 // 
            
            
            
            NVD: CVE-2017-14190

REFERENCES
url:http://www.securityfocus.com/bid/102779
Trust: 1.7
url:https://fortiguard.com/advisory/fg-ir-17-262
Trust: 1.7
url:http://www.securitytracker.com/id/1040284
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14190
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14190
Trust: 0.8
url:http://www.nsfocus.net/vulndb/38905
Trust: 0.6
url:https://www.fortinet.com/
Trust: 0.3
url:https://fortiguard.com/psirt/fg-ir-17-262
Trust: 0.3
sources:
            
            
            VULHUB: VHN-104888 // 
            
            
            
            BID: 102779 // 
            
            
            
            JVNDB: JVNDB-2017-012254 // 
            
            
            
            CNNVD: CNNVD-201801-967 // 
            
            
            
            NVD: CVE-2017-14190

CREDITS
Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC
Trust: 0.9
sources:
            
            
            BID: 102779 // 
            
            
            
            CNNVD: CNNVD-201801-967

SOURCES
db:VULHUBid:VHN-104888
db:BIDid:102779
db:JVNDBid:JVNDB-2017-012254
db:CNNVDid:CNNVD-201801-967
db:NVDid:CVE-2017-14190

LAST UPDATE DATE
2024-08-14T15:18:34.281000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-104888date:2018-02-14T00:00:00
db:BIDid:102779date:2018-01-22T00:00:00
db:JVNDBid:JVNDB-2017-012254date:2018-03-01T00:00:00
db:CNNVDid:CNNVD-201801-967date:2018-01-30T00:00:00
db:NVDid:CVE-2017-14190date:2018-02-14T15:05:46.503

SOURCES RELEASE DATE
db:VULHUBid:VHN-104888date:2018-01-29T00:00:00
db:BIDid:102779date:2018-01-22T00:00:00
db:JVNDBid:JVNDB-2017-012254date:2018-03-01T00:00:00
db:CNNVDid:CNNVD-201801-967date:2018-01-26T00:00:00
db:NVDid:CVE-2017-14190date:2018-01-29T16:29:00.230