Details of VAR-201805-1018

ID

VAR-201805-1018

CVE

CVE-2018-9186

TITLE

Fortinet FortiAuthenticator Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-005463

DESCRIPTION

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. Fortinet FortiAuthenticator Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortinetFortiAuthenticator is a user identity management device that enhances enterprise security by simplifying and centralizing the management and storage of user identity information. A cross-site scripting vulnerability exists in the \"CSRF Authentication Failed\" page in FortinetFortiAuthenticator prior to 5.3.0. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiAuthenticator 5.3.0 are vulnerable. Fortinet FortiAuthenticator is a series of security authentication software from Fortinet, which can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP

Trust: 2.52

sources: NVD: CVE-2018-9186 // JVNDB: JVNDB-2018-005463 // CNVD: CNVD-2018-10945 // BID: 104371 // VULHUB: VHN-139218

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-10945

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiauthenticator	scope:	lt	version:	5.3.0	Trust: 2.4
vendor:	fortinet	model:	fortiauthenticator	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.0.0	Trust: 0.9
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	5.2	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	5.1	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	5.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	4.3	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	4.2	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.2	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.1	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	3.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	2.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	1.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	ne	version:	5.3	Trust: 0.3

sources: CNVD: CNVD-2018-10945 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9186
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-9186
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-10945
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201805-1164
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-139218
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-9186
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-10945
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-139218
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-9186
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-139218 // JVNDB: JVNDB-2018-005463 // NVD: CVE-2018-9186

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-1164

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201805-1164

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005463

PATCH

title:	FG-IR-18-059	url:	https://fortiguard.com/psirt/FG-IR-18-059	Trust: 0.8
title:	Patch for FortinetFortiAuthenticator Cross-Site Scripting Vulnerability (CNVD-2018-10945)	url:	https://www.cnvd.org.cn/patchInfo/show/131119	Trust: 0.6
title:	Fortinet FortiAuthenticator Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81182	Trust: 0.6

sources: CNVD: CNVD-2018-10945 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9186	Trust: 3.4
db:	BID	id:	104371	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-005463	Trust: 0.8
db:	CNNVD	id:	CNNVD-201805-1164	Trust: 0.7
db:	CNVD	id:	CNVD-2018-10945	Trust: 0.6
db:	VULHUB	id:	VHN-139218	Trust: 0.1

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

REFERENCES

url:	http://www.securityfocus.com/bid/104371	Trust: 1.7
url:	https://fortiguard.com/advisory/fg-ir-18-059	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9186	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9186	Trust: 0.8
url:	http://www.fortinet.com/	Trust: 0.3
url:	https://fortiguard.com/psirt/fg-ir-18-059	Trust: 0.3

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

CREDITS

Arun Narayanan

Trust: 0.3

sources: BID: 104371

SOURCES

db:	CNVD	id:	CNVD-2018-10945
db:	VULHUB	id:	VHN-139218
db:	BID	id:	104371
db:	JVNDB	id:	JVNDB-2018-005463
db:	CNNVD	id:	CNNVD-201805-1164
db:	NVD	id:	CVE-2018-9186

LAST UPDATE DATE

2024-08-14T14:12:52.255000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-10945	date:	2018-06-05T00:00:00
db:	VULHUB	id:	VHN-139218	date:	2019-04-22T00:00:00
db:	BID	id:	104371	date:	2018-05-31T00:00:00
db:	JVNDB	id:	JVNDB-2018-005463	date:	2018-07-18T00:00:00
db:	CNNVD	id:	CNNVD-201805-1164	date:	2019-04-23T00:00:00
db:	NVD	id:	CVE-2018-9186	date:	2019-04-22T18:32:14.473

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-10945	date:	2018-06-05T00:00:00
db:	VULHUB	id:	VHN-139218	date:	2018-05-31T00:00:00
db:	BID	id:	104371	date:	2018-05-31T00:00:00
db:	JVNDB	id:	JVNDB-2018-005463	date:	2018-07-18T00:00:00
db:	CNNVD	id:	CNNVD-201805-1164	date:	2018-05-31T00:00:00
db:	NVD	id:	CVE-2018-9186	date:	2018-05-31T22:29:00.253