Sign-up

ID

VAR-202006-1683


CVE

CVE-2020-6640


TITLE

FortiAnalyzer Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006093

DESCRIPTION

An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area. FortiAnalyzer Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer 6.2.3 and earlier versions have a cross-site scripting vulnerability in the administrator configuration file. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.8

sources: NVD: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // VULHUB: VHN-184765 // VULMON: CVE-2020-6640

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:ltversion:6.2.4

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006093 // NVD: CVE-2020-6640

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-6640
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006093
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202006-424
value: MEDIUM

Trust: 0.6

VULHUB: VHN-184765
value: LOW

Trust: 0.1

VULMON: CVE-2020-6640
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-6640
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006093
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-184765
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-6640
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006093
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-184765 // VULMON: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // CNNVD: CNNVD-202006-424 // NVD: CVE-2020-6640

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-184765 // JVNDB: JVNDB-2020-006093 // NVD: CVE-2020-6640

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-424

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202006-424

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006093

PATCH
title:FG-IR-20-003url:https://fortiguard.com/advisory/FG-IR-20-003
Trust: 0.8
title:Fortinet FortiAnalyzer Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120790
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-006093 // 
            
            
            
            CNNVD: CNNVD-202006-424

EXTERNAL IDS
db:NVDid:CVE-2020-6640
Trust: 2.6
db:JVNDBid:JVNDB-2020-006093
Trust: 0.8
db:CNNVDid:CNNVD-202006-424
Trust: 0.7
db:AUSCERTid:ESB-2020.1965
Trust: 0.6
db:VULHUBid:VHN-184765
Trust: 0.1
db:VULMONid:CVE-2020-6640
Trust: 0.1
sources:
            
            
            VULHUB: VHN-184765 // 
            
            
            
            VULMON: CVE-2020-6640 // 
            
            
            
            JVNDB: JVNDB-2020-006093 // 
            
            
            
            CNNVD: CNNVD-202006-424 // 
            
            
            
            NVD: CVE-2020-6640

REFERENCES
url:https://fortiguard.com/advisory/fg-ir-20-003
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-6640
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6640
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1965/
Trust: 0.6
url:https://vigilance.fr/vulnerability/fortianalyzer-cross-site-scripting-via-admin-profile-description-area-32441
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-184765 // 
            
            
            
            VULMON: CVE-2020-6640 // 
            
            
            
            JVNDB: JVNDB-2020-006093 // 
            
            
            
            CNNVD: CNNVD-202006-424 // 
            
            
            
            NVD: CVE-2020-6640

SOURCES
db:VULHUBid:VHN-184765
db:VULMONid:CVE-2020-6640
db:JVNDBid:JVNDB-2020-006093
db:CNNVDid:CNNVD-202006-424
db:NVDid:CVE-2020-6640

LAST UPDATE DATE
2024-08-14T14:25:42.868000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-184765date:2020-06-08T00:00:00
db:VULMONid:CVE-2020-6640date:2020-06-08T00:00:00
db:JVNDBid:JVNDB-2020-006093date:2020-06-30T00:00:00
db:CNNVDid:CNNVD-202006-424date:2020-06-09T00:00:00
db:NVDid:CVE-2020-6640date:2020-06-08T00:26:29.567

SOURCES RELEASE DATE
db:VULHUBid:VHN-184765date:2020-06-04T00:00:00
db:VULMONid:CVE-2020-6640date:2020-06-04T00:00:00
db:JVNDBid:JVNDB-2020-006093date:2020-06-30T00:00:00
db:CNNVDid:CNNVD-202006-424date:2020-06-04T00:00:00
db:NVDid:CVE-2020-6640date:2020-06-04T13:15:11.163