ID

VAR-201903-1121


CVE

CVE-2017-7340


TITLE

Fortinet FortiPortal Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-014399

DESCRIPTION

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality. Fortinet FortiPortal Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. FortiPortal is prone to the following multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restriction and perform unauthorized actions, redirect users to an attacker-controlled site or obtain sensitive information. Versions prior to FortiPortal 4.0.1 are vulnerable

Trust: 1.98

sources: NVD: CVE-2017-7340 // JVNDB: JVNDB-2017-014399 // BID: 98484 // VULHUB: VHN-115543

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiportalscope:lteversion:4.0.0

Trust: 1.8

vendor:fortinetmodel:fortiportalscope:eqversion:4.0

Trust: 0.3

vendor:fortinetmodel:fortiportalscope:neversion:4.0.1

Trust: 0.3

sources: BID: 98484 // JVNDB: JVNDB-2017-014399 // NVD: CVE-2017-7340

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7340
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7340
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-1374
value: MEDIUM

Trust: 0.6

VULHUB: VHN-115543
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-7340
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115543
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7340
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115543 // JVNDB: JVNDB-2017-014399 // CNNVD: CNNVD-201703-1374 // NVD: CVE-2017-7340

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-115543 // JVNDB: JVNDB-2017-014399 // NVD: CVE-2017-7340

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1374

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-1374

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014399

PATCH

title:FG-IR-17-114url:https://fortiguard.com/psirt/FG-IR-17-114

Trust: 0.8

title:Fortinet FortiPortal Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90379

Trust: 0.6

sources: JVNDB: JVNDB-2017-014399 // CNNVD: CNNVD-201703-1374

EXTERNAL IDS

db:NVDid:CVE-2017-7340

Trust: 2.8

db:JVNDBid:JVNDB-2017-014399

Trust: 0.8

db:CNNVDid:CNNVD-201703-1374

Trust: 0.7

db:BIDid:98484

Trust: 0.3

db:VULHUBid:VHN-115543

Trust: 0.1

sources: VULHUB: VHN-115543 // BID: 98484 // JVNDB: JVNDB-2017-014399 // CNNVD: CNNVD-201703-1374 // NVD: CVE-2017-7340

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-17-114

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2017-7340

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7340

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

sources: VULHUB: VHN-115543 // BID: 98484 // JVNDB: JVNDB-2017-014399 // CNNVD: CNNVD-201703-1374 // NVD: CVE-2017-7340

CREDITS

David Tredger, Senior Security Consultant, Aura Information Security

Trust: 0.3

sources: BID: 98484

SOURCES

db:VULHUBid:VHN-115543
db:BIDid:98484
db:JVNDBid:JVNDB-2017-014399
db:CNNVDid:CNNVD-201703-1374
db:NVDid:CVE-2017-7340

LAST UPDATE DATE

2024-11-23T21:52:26.994000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-115543date:2019-03-26T00:00:00
db:BIDid:98484date:2017-05-15T00:00:00
db:JVNDBid:JVNDB-2017-014399date:2019-04-23T00:00:00
db:CNNVDid:CNNVD-201703-1374date:2019-04-01T00:00:00
db:NVDid:CVE-2017-7340date:2024-11-21T03:31:39.213

SOURCES RELEASE DATE

db:VULHUBid:VHN-115543date:2019-03-25T00:00:00
db:BIDid:98484date:2017-05-15T00:00:00
db:JVNDBid:JVNDB-2017-014399date:2019-04-23T00:00:00
db:CNNVDid:CNNVD-201703-1374date:2017-03-31T00:00:00
db:NVDid:CVE-2017-7340date:2019-03-25T21:29:03.787