ID

VAR-202002-0835


CVE

CVE-2015-3613


TITLE

FortiManager  Vulnerabilities in permissions management

Trust: 0.8

sources: JVNDB: JVNDB-2015-008561

DESCRIPTION

A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 and earlier in the WebUI FTP backup page. FortiManager Contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. FortiManager is prone to following security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. An HTML-injection vulnerability 3. An SQL-injection vulnerability 4. A local privilege-escalation vulnerability 5. An arbitrary file-download vulnerability Exploiting these issues could allow an attacker to execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, gain elevated privileges, or download arbitrary files from the web server and obtain potentially sensitive information. This may aid in other attacks. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. An attacker could exploit this vulnerability to elevate privileges

Trust: 1.98

sources: NVD: CVE-2015-3613 // JVNDB: JVNDB-2015-008561 // BID: 74444 // VULHUB: VHN-81574

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimanagerscope:lteversion:5.2.1

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.2.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:5.0.10

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:gteversion:5.0.0

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.1

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.10

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.9

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.8

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.7

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.6

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.5

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.4

Trust: 0.9

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.3

Trust: 0.9

vendor:フォーティネットmodel:fortimanagerscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:lteversion:fortimanager firmware 5.2.1

Trust: 0.8

vendor:フォーティネットmodel:fortimanagerscope:lteversion:fortimanager firmware 5.0.10

Trust: 0.8

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2.0

Trust: 0.6

vendor:fortinetmodel:fortimanagerscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortimanagerscope:neversion:5.0.11

Trust: 0.3

sources: BID: 74444 // JVNDB: JVNDB-2015-008561 // CNNVD: CNNVD-202002-057 // NVD: CVE-2015-3613

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3613
value: CRITICAL

Trust: 1.0

NVD: CVE-2015-3613
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202002-057
value: CRITICAL

Trust: 0.6

VULHUB: VHN-81574
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-3613
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-81574
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-3613
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2015-3613
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-81574 // JVNDB: JVNDB-2015-008561 // CNNVD: CNNVD-202002-057 // NVD: CVE-2015-3613

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:Improper authority management (CWE-269) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-81574 // JVNDB: JVNDB-2015-008561 // NVD: CVE-2015-3613

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-057

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202002-057

PATCH

title:Multiple Vulnerabilities in FortiManagerurl:https://fortiguard.com/psirt/FG-IR-15-011

Trust: 0.8

title:Fortinet FortiManager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110665

Trust: 0.6

sources: JVNDB: JVNDB-2015-008561 // CNNVD: CNNVD-202002-057

EXTERNAL IDS

db:NVDid:CVE-2015-3613

Trust: 2.8

db:BIDid:74444

Trust: 2.0

db:SECTRACKid:1032188

Trust: 1.7

db:JVNDBid:JVNDB-2015-008561

Trust: 0.8

db:CNNVDid:CNNVD-202002-057

Trust: 0.7

db:CNVDid:CNVD-2020-07201

Trust: 0.1

db:VULHUBid:VHN-81574

Trust: 0.1

sources: VULHUB: VHN-81574 // BID: 74444 // JVNDB: JVNDB-2015-008561 // CNNVD: CNNVD-202002-057 // NVD: CVE-2015-3613

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-15-011

Trust: 2.0

url:http://www.securityfocus.com/bid/74444

Trust: 1.7

url:http://www.securitytracker.com/id/1032188

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2015-3613

Trust: 1.4

url:http://www.fortinet.com/products/fortimanager/

Trust: 0.3

url:http://www.fortiguard.com/advisory/fg-ir-15-011/

Trust: 0.3

sources: VULHUB: VHN-81574 // BID: 74444 // JVNDB: JVNDB-2015-008561 // CNNVD: CNNVD-202002-057 // NVD: CVE-2015-3613

CREDITS

Maksymilian Motyl and the ITN Security Team at Orange Polska

Trust: 0.3

sources: BID: 74444

SOURCES

db:VULHUBid:VHN-81574
db:BIDid:74444
db:JVNDBid:JVNDB-2015-008561
db:CNNVDid:CNNVD-202002-057
db:NVDid:CVE-2015-3613

LAST UPDATE DATE

2024-08-14T14:11:58.542000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-81574date:2020-02-05T00:00:00
db:BIDid:74444date:2017-08-25T07:11:00
db:JVNDBid:JVNDB-2015-008561date:2020-02-14T00:00:00
db:CNNVDid:CNNVD-202002-057date:2020-03-02T00:00:00
db:NVDid:CVE-2015-3613date:2020-02-05T21:17:13.417

SOURCES RELEASE DATE

db:VULHUBid:VHN-81574date:2020-02-04T00:00:00
db:BIDid:74444date:2015-04-16T00:00:00
db:JVNDBid:JVNDB-2015-008561date:2020-02-14T00:00:00
db:CNNVDid:CNNVD-202002-057date:2020-02-04T00:00:00
db:NVDid:CVE-2015-3613date:2020-02-04T20:15:11.497