Details of VAR-202003-1590

ID

VAR-202003-1590

CVE

CVE-2020-6646

TITLE

FortiWeb Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003034

DESCRIPTION

An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. FortiWeb Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2020-6646 // JVNDB: JVNDB-2020-003034 // VULHUB: VHN-184771

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiweb	scope:	lte	version:	6.2.2	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	eq	version:	6.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiweb	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-003034 // NVD: CVE-2020-6646

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-6646
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-003034
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202003-726
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-184771
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-6646
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003034
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-184771
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-6646
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003034
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // NVD: CVE-2020-6646

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003034

PATCH

title:	FG-IR-20-001	url:	https://fortiguard.com/psirt/FG-IR-20-001	Trust: 0.8
title:	Fortinet FortiWeb Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112296	Trust: 0.6

sources: JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726

EXTERNAL IDS

db:	NVD	id:	CVE-2020-6646	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-003034	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.0899	Trust: 0.6
db:	CNNVD	id:	CNNVD-202003-726	Trust: 0.6
db:	CNVD	id:	CNVD-2020-21071	Trust: 0.1
db:	VULHUB	id:	VHN-184771	Trust: 0.1

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-001	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6646	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6646	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0899/	Trust: 0.6

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

CREDITS

Danilo Costa from PBI

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

SOURCES

db:	VULHUB	id:	VHN-184771
db:	JVNDB	id:	JVNDB-2020-003034
db:	CNNVD	id:	CNNVD-202003-726
db:	NVD	id:	CVE-2020-6646

LAST UPDATE DATE

2024-08-14T14:44:58.502000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184771	date:	2020-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-003034	date:	2020-04-02T00:00:00
db:	CNNVD	id:	CNNVD-202003-726	date:	2020-03-20T00:00:00
db:	NVD	id:	CVE-2020-6646	date:	2020-03-19T19:42:40.617

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184771	date:	2020-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2020-003034	date:	2020-04-02T00:00:00
db:	CNNVD	id:	CNNVD-202003-726	date:	2020-03-12T00:00:00
db:	NVD	id:	CVE-2020-6646	date:	2020-03-17T13:15:12.027