Details of VAR-201908-0099

ID

VAR-201908-0099

CVE

CVE-2019-5594

TITLE

Fortinet FortiNAC cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-22380 // CNNVD: CNNVD-201907-985

DESCRIPTION

An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI. Fortinet FortiNAC Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Fortinet FortiNAC is a network access control solution from Fortinet. This product is mainly used for network access control and IoT security protection. The admin webUI in Fortinet FortiNAC version 8.3.0 to 8.3.6 and 8.5.0 has a cross-site scripting vulnerability. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiNAC 8.3.0 through 8.3.6 and 8.5.0 are vulnerable

Trust: 3.06

sources: NVD: CVE-2019-5594 // JVNDB: JVNDB-2019-008217 // CNVD: CNVD-2020-22380 // CNNVD: CNNVD-201907-985 // BID: 109302 // VULHUB: VHN-157029

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-22380

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.5.0	Trust: 2.4
vendor:	fortinet	model:	fortinac	scope:	lte	version:	8.3.6	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.3.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.0 to 8.3.6	Trust: 0.8
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.3.0,<=8.3.6	Trust: 0.6
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.5	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.6	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.4	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.3	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.2	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.1	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	ne	version:	8.5.1	Trust: 0.3
vendor:	fortinet	model:	fortinac	scope:	ne	version:	8.3.7	Trust: 0.3

sources: CNVD: CNVD-2020-22380 // BID: 109302 // JVNDB: JVNDB-2019-008217 // NVD: CVE-2019-5594

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5594
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-5594
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-22380
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201907-985
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-157029
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-5594
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-22380
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-157029
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-5594
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2020-22380 // VULHUB: VHN-157029 // JVNDB: JVNDB-2019-008217 // CNNVD: CNNVD-201907-985 // NVD: CVE-2019-5594

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-157029 // JVNDB: JVNDB-2019-008217 // NVD: CVE-2019-5594

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-985

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-985

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008217

PATCH

title:	FG-IR-19-140	url:	https://fortiguard.com/psirt/FG-IR-19-140	Trust: 0.8
title:	Patch for Fortinet FortiNAC cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/213611	Trust: 0.6
title:	Fortinet FortiNAC Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95287	Trust: 0.6

sources: CNVD: CNVD-2020-22380 // JVNDB: JVNDB-2019-008217 // CNNVD: CNNVD-201907-985

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5594	Trust: 3.4
db:	BID	id:	109302	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-008217	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-985	Trust: 0.7
db:	CNVD	id:	CNVD-2020-22380	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2651	Trust: 0.6
db:	VULHUB	id:	VHN-157029	Trust: 0.1

sources: CNVD: CNVD-2020-22380 // VULHUB: VHN-157029 // BID: 109302 // JVNDB: JVNDB-2019-008217 // CNNVD: CNNVD-201907-985 // NVD: CVE-2019-5594

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-5594	Trust: 2.0
url:	https://fortiguard.com/advisory/fg-ir-19-140	Trust: 1.7
url:	http://www.fortinet.com/	Trust: 0.9
url:	https://fortiguard.com/psirt/fg-ir-19-140	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5594	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.2651/	Trust: 0.6
url:	https://www.securityfocus.com/bid/109302	Trust: 0.6

sources: CNVD: CNVD-2020-22380 // VULHUB: VHN-157029 // BID: 109302 // JVNDB: JVNDB-2019-008217 // CNNVD: CNNVD-201907-985 // NVD: CVE-2019-5594

CREDITS

Johnatan Camargo from PBI | Dynamic IT Security.

Trust: 0.9

sources: BID: 109302 // CNNVD: CNNVD-201907-985

SOURCES

db:	CNVD	id:	CNVD-2020-22380
db:	VULHUB	id:	VHN-157029
db:	BID	id:	109302
db:	JVNDB	id:	JVNDB-2019-008217
db:	CNNVD	id:	CNNVD-201907-985
db:	NVD	id:	CVE-2019-5594

LAST UPDATE DATE

2024-11-23T22:21:33.758000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22380	date:	2020-04-12T00:00:00
db:	VULHUB	id:	VHN-157029	date:	2019-08-26T00:00:00
db:	BID	id:	109302	date:	2019-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-008217	date:	2019-08-28T00:00:00
db:	CNNVD	id:	CNNVD-201907-985	date:	2019-08-27T00:00:00
db:	NVD	id:	CVE-2019-5594	date:	2024-11-21T04:45:11.907

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-22380	date:	2020-04-12T00:00:00
db:	VULHUB	id:	VHN-157029	date:	2019-08-23T00:00:00
db:	BID	id:	109302	date:	2019-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-008217	date:	2019-08-28T00:00:00
db:	CNNVD	id:	CNNVD-201907-985	date:	2019-07-17T00:00:00
db:	NVD	id:	CVE-2019-5594	date:	2019-08-23T21:15:12.130