ID

VAR-201908-0130


CVE

CVE-2019-5590


TITLE

Fortinet FortiWeb Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-008730

DESCRIPTION

The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form. Fortinet FortiWeb Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Fortinet Fortiweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb 6.0.2 and prior are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2019-5590 // JVNDB: JVNDB-2019-008730 // BID: 108786 // VULHUB: VHN-157025

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:6.0.2

Trust: 1.8

vendor:fortinetmodel:fortiwebscope:eqversion:6.0.2

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:6.0.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:6.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.9.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.7

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.6.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.5

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.4

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:6.1.1

Trust: 0.3

vendor:fortinetmodel:fortiwebscope:neversion:6.0.3

Trust: 0.3

sources: BID: 108786 // JVNDB: JVNDB-2019-008730 // NVD: CVE-2019-5590

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-5590
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-5590
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-594
value: MEDIUM

Trust: 0.6

VULHUB: VHN-157025
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-5590
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-157025
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-5590
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-157025 // JVNDB: JVNDB-2019-008730 // CNNVD: CNNVD-201906-594 // NVD: CVE-2019-5590

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-157025 // JVNDB: JVNDB-2019-008730 // NVD: CVE-2019-5590

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-594

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-594

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008730

PATCH

title:FG-IR-19-070url:https://fortiguard.com/psirt/FG-IR-19-070

Trust: 0.8

title:Fortinet FortiWeb Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93813

Trust: 0.6

sources: JVNDB: JVNDB-2019-008730 // CNNVD: CNNVD-201906-594

EXTERNAL IDS

db:NVDid:CVE-2019-5590

Trust: 2.8

db:BIDid:108786

Trust: 2.0

db:JVNDBid:JVNDB-2019-008730

Trust: 0.8

db:CNNVDid:CNNVD-201906-594

Trust: 0.7

db:AUSCERTid:ESB-2019.2106

Trust: 0.6

db:VULHUBid:VHN-157025

Trust: 0.1

sources: VULHUB: VHN-157025 // BID: 108786 // JVNDB: JVNDB-2019-008730 // CNNVD: CNNVD-201906-594 // NVD: CVE-2019-5590

REFERENCES

url:http://www.securityfocus.com/bid/108786

Trust: 1.7

url:https://fortiguard.com/advisory/fg-ir-19-070

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-5590

Trust: 1.4

url:http://www.fortinet.com/

Trust: 0.9

url:https://fortiguard.com/psirt/fg-ir-19-070

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5590

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2106/

Trust: 0.6

sources: VULHUB: VHN-157025 // BID: 108786 // JVNDB: JVNDB-2019-008730 // CNNVD: CNNVD-201906-594 // NVD: CVE-2019-5590

CREDITS

Miquel Tur of KPMG Asesores, S.L., S.L

Trust: 0.6

sources: CNNVD: CNNVD-201906-594

SOURCES

db:VULHUBid:VHN-157025
db:BIDid:108786
db:JVNDBid:JVNDB-2019-008730
db:CNNVDid:CNNVD-201906-594
db:NVDid:CVE-2019-5590

LAST UPDATE DATE

2024-08-14T14:56:47.717000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-157025date:2019-09-03T00:00:00
db:BIDid:108786date:2019-06-12T00:00:00
db:JVNDBid:JVNDB-2019-008730date:2019-09-05T00:00:00
db:CNNVDid:CNNVD-201906-594date:2019-09-04T00:00:00
db:NVDid:CVE-2019-5590date:2019-09-03T17:36:09.097

SOURCES RELEASE DATE

db:VULHUBid:VHN-157025date:2019-08-28T00:00:00
db:BIDid:108786date:2019-06-12T00:00:00
db:JVNDBid:JVNDB-2019-008730date:2019-09-05T00:00:00
db:CNNVDid:CNNVD-201906-594date:2019-06-13T00:00:00
db:NVDid:CVE-2019-5590date:2019-08-28T17:15:09.917