ID

VAR-202006-1683


CVE

CVE-2020-6640


TITLE

FortiAnalyzer Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006093

DESCRIPTION

An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area. FortiAnalyzer Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer 6.2.3 and earlier versions have a cross-site scripting vulnerability in the administrator configuration file. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.8

sources: NVD: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // VULHUB: VHN-184765 // VULMON: CVE-2020-6640

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:ltversion:6.2.4

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006093 // NVD: CVE-2020-6640

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-6640
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006093
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202006-424
value: MEDIUM

Trust: 0.6

VULHUB: VHN-184765
value: LOW

Trust: 0.1

VULMON: CVE-2020-6640
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-6640
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006093
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-184765
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-6640
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006093
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-184765 // VULMON: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // CNNVD: CNNVD-202006-424 // NVD: CVE-2020-6640

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-184765 // JVNDB: JVNDB-2020-006093 // NVD: CVE-2020-6640

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-424

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202006-424

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006093

PATCH

title:FG-IR-20-003url:https://fortiguard.com/advisory/FG-IR-20-003

Trust: 0.8

title:Fortinet FortiAnalyzer Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120790

Trust: 0.6

sources: JVNDB: JVNDB-2020-006093 // CNNVD: CNNVD-202006-424

EXTERNAL IDS

db:NVDid:CVE-2020-6640

Trust: 2.6

db:JVNDBid:JVNDB-2020-006093

Trust: 0.8

db:CNNVDid:CNNVD-202006-424

Trust: 0.7

db:AUSCERTid:ESB-2020.1965

Trust: 0.6

db:VULHUBid:VHN-184765

Trust: 0.1

db:VULMONid:CVE-2020-6640

Trust: 0.1

sources: VULHUB: VHN-184765 // VULMON: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // CNNVD: CNNVD-202006-424 // NVD: CVE-2020-6640

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-003

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-6640

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6640

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1965/

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortianalyzer-cross-site-scripting-via-admin-profile-description-area-32441

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-184765 // VULMON: CVE-2020-6640 // JVNDB: JVNDB-2020-006093 // CNNVD: CNNVD-202006-424 // NVD: CVE-2020-6640

SOURCES

db:VULHUBid:VHN-184765
db:VULMONid:CVE-2020-6640
db:JVNDBid:JVNDB-2020-006093
db:CNNVDid:CNNVD-202006-424
db:NVDid:CVE-2020-6640

LAST UPDATE DATE

2024-08-14T14:25:42.868000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-184765date:2020-06-08T00:00:00
db:VULMONid:CVE-2020-6640date:2020-06-08T00:00:00
db:JVNDBid:JVNDB-2020-006093date:2020-06-30T00:00:00
db:CNNVDid:CNNVD-202006-424date:2020-06-09T00:00:00
db:NVDid:CVE-2020-6640date:2020-06-08T00:26:29.567

SOURCES RELEASE DATE

db:VULHUBid:VHN-184765date:2020-06-04T00:00:00
db:VULMONid:CVE-2020-6640date:2020-06-04T00:00:00
db:JVNDBid:JVNDB-2020-006093date:2020-06-30T00:00:00
db:CNNVDid:CNNVD-202006-424date:2020-06-04T00:00:00
db:NVDid:CVE-2020-6640date:2020-06-04T13:15:11.163