Details of VAR-202001-0771

ID

VAR-202001-0771

CVE

CVE-2019-15707

TITLE

FortiMail admin Vulnerable to unauthorized authentication

Trust: 0.8

sources: JVNDB: JVNDB-2019-014334

DESCRIPTION

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to perform system backup config download they should not be authorized for. FortiMail admin Contains an incorrect authentication vulnerability.Information may be obtained. Fortinet FortiMail is a suite of e-mail security gateway products from Fortinet. The product provides features such as email security and data protection. Fortinet FortiMail version 6.2.0, versions 6.0.0 to 6.0.6, and versions 5.4.10 and earlier have security vulnerabilities. Attackers can exploit this vulnerability to download system backup configuration files

Trust: 1.71

sources: NVD: CVE-2019-15707 // JVNDB: JVNDB-2019-014334 // VULHUB: VHN-147780

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimail	scope:	lte	version:	6.0.6	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	5.4.10	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	eq	version:	6.2.0	Trust: 1.0
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	6.2.0	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	eq	version:	6.0.0 to 6.0.6	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	lte	version:	5.4.10	Trust: 0.8

sources: JVNDB: JVNDB-2019-014334 // NVD: CVE-2019-15707

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15707
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-15707
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201910-1250
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-147780
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-15707
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-147780
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-15707
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-15707
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-147780 // JVNDB: JVNDB-2019-014334 // CNNVD: CNNVD-201910-1250 // NVD: CVE-2019-15707

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Incorrect authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014334 // NVD: CVE-2019-15707

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1250

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201910-1250

PATCH

title:	FG-IR-19-237	url:	https://fortiguard.com/psirt/FG-IR-19-237	Trust: 0.8
title:	Fortinet FortiMail Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110857	Trust: 0.6

sources: JVNDB: JVNDB-2019-014334 // CNNVD: CNNVD-201910-1250

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15707	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-014334	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-1250	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3914.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3914	Trust: 0.6
db:	VULHUB	id:	VHN-147780	Trust: 0.1

sources: VULHUB: VHN-147780 // JVNDB: JVNDB-2019-014334 // CNNVD: CNNVD-201910-1250 // NVD: CVE-2019-15707

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-19-237	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15707	Trust: 1.4
url:	https://fortiguard.com/psirt/fg-ir-19-237	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3914/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3914.2/	Trust: 0.6

sources: VULHUB: VHN-147780 // JVNDB: JVNDB-2019-014334 // CNNVD: CNNVD-201910-1250 // NVD: CVE-2019-15707

SOURCES

db:	VULHUB	id:	VHN-147780
db:	JVNDB	id:	JVNDB-2019-014334
db:	CNNVD	id:	CNNVD-201910-1250
db:	NVD	id:	CVE-2019-15707

LAST UPDATE DATE

2024-08-14T14:26:00.203000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-147780	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-014334	date:	2020-02-10T00:00:00
db:	CNNVD	id:	CNNVD-201910-1250	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2019-15707	date:	2020-08-24T17:37:01.140

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-147780	date:	2020-01-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-014334	date:	2020-02-10T00:00:00
db:	CNNVD	id:	CNNVD-201910-1250	date:	2019-10-21T00:00:00
db:	NVD	id:	CVE-2019-15707	date:	2020-01-23T18:15:13.197