Details of VAR-202002-0834

ID

VAR-202002-0834

CVE

CVE-2015-3612

TITLE

FortiManager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-008560

DESCRIPTION

A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page. FortiManager Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. FortiManager is prone to following security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. An HTML-injection vulnerability 3. An SQL-injection vulnerability 4. A local privilege-escalation vulnerability 5. An arbitrary file-download vulnerability Exploiting these issues could allow an attacker to execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, gain elevated privileges, or download arbitrary files from the web server and obtain potentially sensitive information. This may aid in other attacks. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2015-3612 // JVNDB: JVNDB-2015-008560 // BID: 74444 // VULHUB: VHN-81573

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimanager	scope:	lte	version:	5.2.1	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	5.2.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	lte	version:	5.0.10	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	gte	version:	5.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.2.1	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.10	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.9	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.8	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.7	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.6	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.5	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.4	Trust: 0.9
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.3	Trust: 0.9
vendor:	フォーティネット	model:	fortimanager	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	fortimanager firmware 5.2.1	Trust: 0.8
vendor:	フォーティネット	model:	fortimanager	scope:	lte	version:	fortimanager firmware 5.0.10	Trust: 0.8
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.2.0	Trust: 0.6
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.2	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.2	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	ne	version:	5.2.2	Trust: 0.3
vendor:	fortinet	model:	fortimanager	scope:	ne	version:	5.0.11	Trust: 0.3

sources: BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3612
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-3612
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-056
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-81573
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-3612
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-81573
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-3612
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2015-3612
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-81573 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-81573 // JVNDB: JVNDB-2015-008560 // NVD: CVE-2015-3612

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-056

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-056

PATCH

title:	Multiple Vulnerabilities in FortiManager	url:	https://fortiguard.com/psirt/FG-IR-15-011	Trust: 0.8
title:	Fortinet FortiManager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109812	Trust: 0.6

sources: JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3612	Trust: 2.8
db:	BID	id:	74444	Trust: 2.0
db:	SECTRACK	id:	1032188	Trust: 1.7
db:	JVNDB	id:	JVNDB-2015-008560	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-056	Trust: 0.7
db:	CNVD	id:	CNVD-2020-14765	Trust: 0.1
db:	VULHUB	id:	VHN-81573	Trust: 0.1

sources: VULHUB: VHN-81573 // BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-15-011	Trust: 2.0
url:	http://www.securityfocus.com/bid/74444	Trust: 1.7
url:	http://www.securitytracker.com/id/1032188	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2015-3612	Trust: 1.4
url:	http://www.fortinet.com/products/fortimanager/	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-15-011/	Trust: 0.3

sources: VULHUB: VHN-81573 // BID: 74444 // JVNDB: JVNDB-2015-008560 // CNNVD: CNNVD-202002-056 // NVD: CVE-2015-3612

CREDITS

Maksymilian Motyl and the ITN Security Team at Orange Polska

Trust: 0.3

sources: BID: 74444

SOURCES

db:	VULHUB	id:	VHN-81573
db:	BID	id:	74444
db:	JVNDB	id:	JVNDB-2015-008560
db:	CNNVD	id:	CNNVD-202002-056
db:	NVD	id:	CVE-2015-3612

LAST UPDATE DATE

2024-08-14T14:11:58.448000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-81573	date:	2020-02-05T00:00:00
db:	BID	id:	74444	date:	2017-08-25T07:11:00
db:	JVNDB	id:	JVNDB-2015-008560	date:	2020-02-14T00:00:00
db:	CNNVD	id:	CNNVD-202002-056	date:	2020-02-18T00:00:00
db:	NVD	id:	CVE-2015-3612	date:	2020-02-05T21:35:35.687

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-81573	date:	2020-02-04T00:00:00
db:	BID	id:	74444	date:	2015-04-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-008560	date:	2020-02-14T00:00:00
db:	CNNVD	id:	CNNVD-202002-056	date:	2020-02-04T00:00:00
db:	NVD	id:	CVE-2015-3612	date:	2020-02-04T20:15:11.433