ID

VAR-202002-0834


CVE

CVE-2015-3612


TITLE

FortiManager  Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-008560

DESCRIPTION

A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page. FortiManager Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. FortiManager is prone to following security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. An HTML-injection vulnerability 3. An SQL-injection vulnerability 4. A local privilege-escalation vulnerability 5. An arbitrary file-download vulnerability Exploiting these issues could allow an attacker to execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, gain elevated privileges, or download arbitrary files from the web server and obtain potentially sensitive information. This may aid in other attacks. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2015-3612 // JVNDB: JVNDB-2015-008560 // BID: 74444 // VULHUB: VHN-81573

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:lteversion:5.2.1

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:5.0.10

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.1

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.10

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.9

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.8

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.7

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.5

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.4

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.3

Trust: 0.9

vendor:フォーティネットmodel:fortimanagerscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:lteversion:fortimanager firmware 5.2.1

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:lteversion:fortimanager firmware 5.0.10

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.0

Trust: 0.6

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.0.11

Trust: 0.3

sources: BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3612
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-3612
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202002-056
value: MEDIUM

Trust: 0.6

VULHUB: VHN-81573
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2015-3612
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-81573
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-3612
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2015-3612
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-81573 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-81573 // JVNDB: JVNDB-2015-008560 // NVD: CVE-2015-3612

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-056

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-056

PATCH

title:Multiple Vulnerabilities in FortiManagerurl:https://fortiguard.com/psirt/FG-IR-15-011

Trust: 0.8

title:Fortinet FortiManager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109812

Trust: 0.6

sources: JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056

EXTERNAL IDS

db:NVDid:CVE-2015-3612

Trust: 2.8

db:BIDid:74444

Trust: 2.0

db:SECTRACKid:1032188

Trust: 1.7

db:JVNDBid:JVNDB-2015-008560

Trust: 0.8

db:CNNVDid:CNNVD-202002-056

Trust: 0.7

db:CNVDid:CNVD-2020-14765

Trust: 0.1

db:VULHUBid:VHN-81573

Trust: 0.1

sources: VULHUB: VHN-81573 // BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-15-011

Trust: 2.0

url:http://www.securityfocus.com/bid/74444

Trust: 1.7

url:http://www.securitytracker.com/id/1032188

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2015-3612

Trust: 1.4

url:http://www.fortinet.com/products/fortimanager/

Trust: 0.3

url:http://www.fortiguard.com/advisory/fg-ir-15-011/

Trust: 0.3

sources: VULHUB: VHN-81573 // BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

CREDITS

Maksymilian Motyl and the ITN Security Team at Orange Polska

Trust: 0.3

sources: BID: 74444

SOURCES

db:VULHUBid:VHN-81573
db:BIDid:74444
db:JVNDBid:JVNDB-2015-008560
db:CNNVDid:CNNVD-202002-056
db:NVDid:CVE-2015-3612

LAST UPDATE DATE

2024-08-14T14:11:58.448000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-81573date:2020-02-05T00:00:00
db:BIDid:74444date:2017-08-25T07:11:00
db:JVNDBid:JVNDB-2015-008560date:2020-02-14T00:00:00
db:CNNVDid:CNNVD-202002-056date:2020-02-18T00:00:00
db:NVDid:CVE-2015-3612date:2020-02-05T21:35:35.687

SOURCES RELEASE DATE

db:VULHUBid:VHN-81573date:2020-02-04T00:00:00
db:BIDid:74444date:2015-04-16T00:00:00
db:JVNDBid:JVNDB-2015-008560date:2020-02-14T00:00:00
db:CNNVDid:CNNVD-202002-056date:2020-02-04T00:00:00
db:NVDid:CVE-2015-3612date:2020-02-04T20:15:11.433