Details of VAR-202009-0096

ID

VAR-202009-0096

CVE

CVE-2020-12817

TITLE

Fortinet FortiAnalyzer Injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

DESCRIPTION

An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer has a security vulnerability, which stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to trigger cross-site scripting through the storage connector to run JavaScript code in the context of the website

Trust: 0.99

sources: NVD: CVE-2020-12817 // VULHUB: VHN-165533

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortitester	scope:	lte	version:	3.7.0	Trust: 1.0
vendor:	fortinet	model:	fortitester	scope:	eq	version:	3.8.0	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	6.4.1	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	6.2.5	Trust: 1.0
vendor:	fortinet	model:	fortianalyzer	scope:	eq	version:	6.4.0	Trust: 1.0

sources: NVD: CVE-2020-12817

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12817
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202009-1286
value:	HIGH
Trust: 0.6
VULHUB:	VHN-165533
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-12817
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-165533
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-12817
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	CWE-74	Trust: 0.1

sources: VULHUB: VHN-165533 // NVD: CVE-2020-12817

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

PATCH

title:

Fortinet FortiAnalyzer Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129722

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12817	Trust: 1.7
db:	AUSCERT	id:	ESB-2020.3228	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-1286	Trust: 0.6
db:	CNVD	id:	CNVD-2020-53812	Trust: 0.1
db:	VULHUB	id:	VHN-165533	Trust: 0.1

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-20-054	Trust: 1.7
url:	https://vigilance.fr/vulnerability/fortinet-fortianalyzer-cross-site-scripting-via-storage-connectors-33381	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3228/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12817	Trust: 0.6

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

SOURCES

db:	VULHUB	id:	VHN-165533
db:	CNNVD	id:	CNNVD-202009-1286
db:	NVD	id:	CVE-2020-12817

LAST UPDATE DATE

2024-08-14T14:56:15.924000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-165533	date:	2021-07-21T00:00:00
db:	CNNVD	id:	CNNVD-202009-1286	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2020-12817	date:	2021-07-21T11:39:23.747

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-165533	date:	2020-09-24T00:00:00
db:	CNNVD	id:	CNNVD-202009-1286	date:	2020-09-22T00:00:00
db:	NVD	id:	CVE-2020-12817	date:	2020-09-24T15:15:13.173