Details of VAR-202003-0755

ID

VAR-202003-0755

CVE

CVE-2019-16156

TITLE

Fortinet FortiWeb Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014907

DESCRIPTION

An Improper Neutralization of Input vulnerability in the Anomaly Detection Parameter Name in Fortinet FortiWeb 6.0.5, 6.2.0, and 6.1.1 may allow a remote unauthenticated attacker to perform a Cross Site Scripting attack (XSS). Fortinet FortiWeb Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.8

sources: NVD: CVE-2019-16156 // JVNDB: JVNDB-2019-014907 // VULHUB: VHN-148274 // VULMON: CVE-2019-16156

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.2.0	Trust: 1.8
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.0.5	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.1.1	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.0.5	Trust: 0.8
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.1.1	Trust: 0.8

sources: JVNDB: JVNDB-2019-014907 // NVD: CVE-2019-16156

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16156
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2019-014907
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202003-704
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148274
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-16156
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16156
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2019-014907
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-148274
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-16156
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014907
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-148274 // VULMON: CVE-2019-16156 // JVNDB: JVNDB-2019-014907 // CNNVD: CNNVD-202003-704 // NVD: CVE-2019-16156

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-148274 // JVNDB: JVNDB-2019-014907 // NVD: CVE-2019-16156

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-704

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-704

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014907

PATCH

title:	FG-IR-19-265	url:	https://fortiguard.com/psirt/FG-IR-19-265	Trust: 0.8
title:	Fortinet FortiWeb Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112506	Trust: 0.6

sources: JVNDB: JVNDB-2019-014907 // CNNVD: CNNVD-202003-704

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16156	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-014907	Trust: 0.8
db:	CNNVD	id:	CNNVD-202003-704	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0899	Trust: 0.6
db:	CNVD	id:	CNVD-2020-19908	Trust: 0.1
db:	VULHUB	id:	VHN-148274	Trust: 0.1
db:	VULMON	id:	CVE-2019-16156	Trust: 0.1

sources: VULHUB: VHN-148274 // VULMON: CVE-2019-16156 // JVNDB: JVNDB-2019-014907 // CNNVD: CNNVD-202003-704 // NVD: CVE-2019-16156

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-19-265	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16156	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16156	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0899/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-148274 // VULMON: CVE-2019-16156 // JVNDB: JVNDB-2019-014907 // CNNVD: CNNVD-202003-704 // NVD: CVE-2019-16156

SOURCES

db:	VULHUB	id:	VHN-148274
db:	VULMON	id:	CVE-2019-16156
db:	JVNDB	id:	JVNDB-2019-014907
db:	CNNVD	id:	CNNVD-202003-704
db:	NVD	id:	CVE-2019-16156

LAST UPDATE DATE

2024-08-14T14:44:58.447000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148274	date:	2020-03-17T00:00:00
db:	VULMON	id:	CVE-2019-16156	date:	2020-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-014907	date:	2020-03-27T00:00:00
db:	CNNVD	id:	CNNVD-202003-704	date:	2020-03-18T00:00:00
db:	NVD	id:	CVE-2019-16156	date:	2020-03-17T19:57:14.853

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148274	date:	2020-03-12T00:00:00
db:	VULMON	id:	CVE-2019-16156	date:	2020-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-014907	date:	2020-03-27T00:00:00
db:	CNNVD	id:	CNNVD-202003-704	date:	2020-03-12T00:00:00
db:	NVD	id:	CVE-2019-16156	date:	2020-03-12T22:15:14.827