ID

VAR-202003-1590


CVE

CVE-2020-6646


TITLE

FortiWeb Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003034

DESCRIPTION

An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. FortiWeb Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2020-6646 // JVNDB: JVNDB-2020-003034 // VULHUB: VHN-184771

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:lteversion:6.2.2

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.3.0

Trust: 1.0

vendor:fortinetmodel:fortiwebscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-003034 // NVD: CVE-2020-6646

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-6646
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003034
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202003-726
value: MEDIUM

Trust: 0.6

VULHUB: VHN-184771
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-6646
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003034
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-184771
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-6646
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003034
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // NVD: CVE-2020-6646

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003034

PATCH

title:FG-IR-20-001url:https://fortiguard.com/psirt/FG-IR-20-001

Trust: 0.8

title:Fortinet FortiWeb Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112296

Trust: 0.6

sources: JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726

EXTERNAL IDS

db:NVDid:CVE-2020-6646

Trust: 2.5

db:JVNDBid:JVNDB-2020-003034

Trust: 0.8

db:AUSCERTid:ESB-2020.0899

Trust: 0.6

db:CNNVDid:CNNVD-202003-726

Trust: 0.6

db:CNVDid:CNVD-2020-21071

Trust: 0.1

db:VULHUBid:VHN-184771

Trust: 0.1

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-001

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-6646

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6646

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0899/

Trust: 0.6

sources: VULHUB: VHN-184771 // JVNDB: JVNDB-2020-003034 // CNNVD: CNNVD-202003-726 // NVD: CVE-2020-6646

CREDITS

Danilo Costa from PBI

Trust: 0.6

sources: CNNVD: CNNVD-202003-726

SOURCES

db:VULHUBid:VHN-184771
db:JVNDBid:JVNDB-2020-003034
db:CNNVDid:CNNVD-202003-726
db:NVDid:CVE-2020-6646

LAST UPDATE DATE

2024-08-14T14:44:58.502000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-184771date:2020-03-19T00:00:00
db:JVNDBid:JVNDB-2020-003034date:2020-04-02T00:00:00
db:CNNVDid:CNNVD-202003-726date:2020-03-20T00:00:00
db:NVDid:CVE-2020-6646date:2020-03-19T19:42:40.617

SOURCES RELEASE DATE

db:VULHUBid:VHN-184771date:2020-03-17T00:00:00
db:JVNDBid:JVNDB-2020-003034date:2020-04-02T00:00:00
db:CNNVDid:CNNVD-202003-726date:2020-03-12T00:00:00
db:NVDid:CVE-2020-6646date:2020-03-17T13:15:12.027