Sign-up

ID

VAR-201908-0130


CVE

CVE-2019-5590


TITLE

Fortinet FortiWeb Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-008730

DESCRIPTION

The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form. Fortinet FortiWeb Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Fortinet Fortiweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb 6.0.2 and prior are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2019-5590 // JVNDB: JVNDB-2019-008730 // BID: 108786 // VULHUB: VHN-157025

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:6.0.2

Trust: 1.8

vendor:fortinetmodel:fortiwebscope:eqversion:6.0.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:6.0.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:6.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.9.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.7

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.6.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.4

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:6.1.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:6.0.3

Trust: 0.3

sources: BID: 108786 // JVNDB: JVNDB-2019-008730 // NVD: CVE-2019-5590

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5590
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-5590
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-594
value: MEDIUM

Trust: 0.6

VULHUB: VHN-157025
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-5590
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-157025
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-5590
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-157025 // JVNDB: JVNDB-2019-008730 // CNNVD: CNNVD-201906-594 // NVD: CVE-2019-5590

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-157025 // JVNDB: JVNDB-2019-008730 // NVD: CVE-2019-5590

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-594

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-594

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008730

PATCH
title:FG-IR-19-070url:https://fortiguard.com/psirt/FG-IR-19-070
Trust: 0.8
title:Fortinet FortiWeb Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93813
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008730 // 
            
            
            
            CNNVD: CNNVD-201906-594

EXTERNAL IDS
db:NVDid:CVE-2019-5590
Trust: 2.8
db:BIDid:108786
Trust: 2.0
db:JVNDBid:JVNDB-2019-008730
Trust: 0.8
db:CNNVDid:CNNVD-201906-594
Trust: 0.7
db:AUSCERTid:ESB-2019.2106
Trust: 0.6
db:VULHUBid:VHN-157025
Trust: 0.1
sources:
            
            
            VULHUB: VHN-157025 // 
            
            
            
            BID: 108786 // 
            
            
            
            JVNDB: JVNDB-2019-008730 // 
            
            
            
            CNNVD: CNNVD-201906-594 // 
            
            
            
            NVD: CVE-2019-5590

REFERENCES
url:http://www.securityfocus.com/bid/108786
Trust: 1.7
url:https://fortiguard.com/advisory/fg-ir-19-070
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-5590
Trust: 1.4
url:http://www.fortinet.com/
Trust: 0.9
url:https://fortiguard.com/psirt/fg-ir-19-070
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5590
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.2106/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-157025 // 
            
            
            
            BID: 108786 // 
            
            
            
            JVNDB: JVNDB-2019-008730 // 
            
            
            
            CNNVD: CNNVD-201906-594 // 
            
            
            
            NVD: CVE-2019-5590

CREDITS
Miquel Tur of KPMG Asesores, S.L., S.L
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201906-594

SOURCES
db:VULHUBid:VHN-157025
db:BIDid:108786
db:JVNDBid:JVNDB-2019-008730
db:CNNVDid:CNNVD-201906-594
db:NVDid:CVE-2019-5590

LAST UPDATE DATE
2024-08-14T14:56:47.717000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-157025date:2019-09-03T00:00:00
db:BIDid:108786date:2019-06-12T00:00:00
db:JVNDBid:JVNDB-2019-008730date:2019-09-05T00:00:00
db:CNNVDid:CNNVD-201906-594date:2019-09-04T00:00:00
db:NVDid:CVE-2019-5590date:2019-09-03T17:36:09.097

SOURCES RELEASE DATE
db:VULHUBid:VHN-157025date:2019-08-28T00:00:00
db:BIDid:108786date:2019-06-12T00:00:00
db:JVNDBid:JVNDB-2019-008730date:2019-09-05T00:00:00
db:CNNVDid:CNNVD-201906-594date:2019-06-13T00:00:00
db:NVDid:CVE-2019-5590date:2019-08-28T17:15:09.917