ID

VAR-201801-0107


CVE

CVE-2017-14190


TITLE

Fortinet FortiOS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-012254

DESCRIPTION

A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. The following products are affected: FortiOS 5.6.0 through 5.6.2 FortiOS 5.4.0 through 5.4.7 FortiOS 5.2 and prior. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 1.98

sources: NVD: CVE-2017-14190 // JVNDB: JVNDB-2017-012254 // BID: 102779 // VULHUB: VHN-104888

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:lteversion:5.6.2

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.4.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 0.9

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 0.9

vendor:fortinetmodel:fortiosscope:lteversion:5.2

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0 to 5.4.7

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.6.0 to 5.6.2

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:5.6.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.6.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.4

Trust: 0.3

sources: BID: 102779 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14190
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14190
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201801-967
value: MEDIUM

Trust: 0.6

VULHUB: VHN-104888
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14190
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-104888
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14190
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-104888 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-104888 // JVNDB: JVNDB-2017-012254 // NVD: CVE-2017-14190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-967

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201801-967

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012254

PATCH

title:FG-IR-17-262url:https://fortiguard.com/psirt/FG-IR-17-262

Trust: 0.8

title:Fortinet FortiOS Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78091

Trust: 0.6

sources: JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967

EXTERNAL IDS

db:NVDid:CVE-2017-14190

Trust: 2.8

db:BIDid:102779

Trust: 2.0

db:SECTRACKid:1040284

Trust: 1.1

db:JVNDBid:JVNDB-2017-012254

Trust: 0.8

db:NSFOCUSid:38905

Trust: 0.6

db:CNNVDid:CNNVD-201801-967

Trust: 0.6

db:VULHUBid:VHN-104888

Trust: 0.1

sources: VULHUB: VHN-104888 // BID: 102779 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

REFERENCES

url:http://www.securityfocus.com/bid/102779

Trust: 1.7

url:https://fortiguard.com/advisory/fg-ir-17-262

Trust: 1.7

url:http://www.securitytracker.com/id/1040284

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14190

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-14190

Trust: 0.8

url:http://www.nsfocus.net/vulndb/38905

Trust: 0.6

url:https://www.fortinet.com/

Trust: 0.3

url:https://fortiguard.com/psirt/fg-ir-17-262

Trust: 0.3

sources: VULHUB: VHN-104888 // BID: 102779 // JVNDB: JVNDB-2017-012254 // CNNVD: CNNVD-201801-967 // NVD: CVE-2017-14190

CREDITS

Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC

Trust: 0.9

sources: BID: 102779 // CNNVD: CNNVD-201801-967

SOURCES

db:VULHUBid:VHN-104888
db:BIDid:102779
db:JVNDBid:JVNDB-2017-012254
db:CNNVDid:CNNVD-201801-967
db:NVDid:CVE-2017-14190

LAST UPDATE DATE

2024-08-14T15:18:34.281000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-104888date:2018-02-14T00:00:00
db:BIDid:102779date:2018-01-22T00:00:00
db:JVNDBid:JVNDB-2017-012254date:2018-03-01T00:00:00
db:CNNVDid:CNNVD-201801-967date:2018-01-30T00:00:00
db:NVDid:CVE-2017-14190date:2018-02-14T15:05:46.503

SOURCES RELEASE DATE

db:VULHUBid:VHN-104888date:2018-01-29T00:00:00
db:BIDid:102779date:2018-01-22T00:00:00
db:JVNDBid:JVNDB-2017-012254date:2018-03-01T00:00:00
db:CNNVDid:CNNVD-201801-967date:2018-01-26T00:00:00
db:NVDid:CVE-2017-14190date:2018-01-29T16:29:00.230