Sign-up

ID

VAR-202001-0590


CVE

CVE-2019-17651


TITLE

FortiSIEM  Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-014309

DESCRIPTION

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. FortiSIEM Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Fortinet FortiSIEM is a security information and event management system developed by Fortinet Corporation. The system includes features such as asset discovery, workflow automation and unified management. A cross-site scripting vulnerability exists in Fortinet FortiSIEM 5.2.5 and earlier versions. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-17651 // JVNDB: JVNDB-2019-014309 // VULHUB: VHN-149919

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisiemscope:lteversion:5.2.5

Trust: 1.0

vendor:フォーティネットmodel:fortisiemscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortisiemscope:lteversion:5.2.5

Trust: 0.8

vendor:fortinetmodel:fortisiemscope:eqversion:5.1.1

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.2.0

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:4.10.0

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.0.1

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.2.5

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.1.2

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.2.1

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.0.0

Trust: 0.6

vendor:fortinetmodel:fortisiemscope:eqversion:5.1.0

Trust: 0.6

sources: JVNDB: JVNDB-2019-014309 // CNNVD: CNNVD-202001-1206 // NVD: CVE-2019-17651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-17651
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-17651
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202001-1206
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149919
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-17651
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149919
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-17651
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-17651
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149919 // JVNDB: JVNDB-2019-014309 // CNNVD: CNNVD-202001-1206 // NVD: CVE-2019-17651

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-149919 // JVNDB: JVNDB-2019-014309 // NVD: CVE-2019-17651

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202001-1206

PATCH

title:FG-IR-19-197url:https://fortiguard.com/psirt/FG-IR-19-197

Trust: 0.8

title:Fortinet FortiSIEM Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109321

Trust: 0.6

sources: JVNDB: JVNDB-2019-014309 // CNNVD: CNNVD-202001-1206

EXTERNAL IDS

db:NVDid:CVE-2019-17651

Trust: 2.5

db:JVNDBid:JVNDB-2019-014309

Trust: 0.8

db:CNNVDid:CNNVD-202001-1206

Trust: 0.7

db:AUSCERTid:ESB-2020.0319

Trust: 0.6

db:CNVDid:CNVD-2020-04930

Trust: 0.1

db:VULHUBid:VHN-149919

Trust: 0.1

sources: VULHUB: VHN-149919 // JVNDB: JVNDB-2019-014309 // CNNVD: CNNVD-202001-1206 // NVD: CVE-2019-17651

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-19-197

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-17651

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2020.0319/

Trust: 0.6

sources: VULHUB: VHN-149919 // JVNDB: JVNDB-2019-014309 // CNNVD: CNNVD-202001-1206 // NVD: CVE-2019-17651

SOURCES

db:VULHUBid:VHN-149919
db:JVNDBid:JVNDB-2019-014309
db:CNNVDid:CNNVD-202001-1206
db:NVDid:CVE-2019-17651

LAST UPDATE DATE

2024-11-23T22:55:19.097000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149919date:2020-01-29T00:00:00
db:JVNDBid:JVNDB-2019-014309date:2020-02-10T00:00:00
db:CNNVDid:CNNVD-202001-1206date:2020-02-17T00:00:00
db:NVDid:CVE-2019-17651date:2024-11-21T04:32:42.353

SOURCES RELEASE DATE

db:VULHUBid:VHN-149919date:2020-01-28T00:00:00
db:JVNDBid:JVNDB-2019-014309date:2020-02-10T00:00:00
db:CNNVDid:CNNVD-202001-1206date:2020-01-27T00:00:00
db:NVDid:CVE-2019-17651date:2020-01-28T01:15:11.050