ID

VAR-202009-0096


CVE

CVE-2020-12817


TITLE

Fortinet FortiAnalyzer Injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

DESCRIPTION

An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors. Fortinet FortiAnalyzer is a centralized network security reporting solution from Fortinet. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. Fortinet FortiAnalyzer has a security vulnerability, which stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to trigger cross-site scripting through the storage connector to run JavaScript code in the context of the website

Trust: 0.99

sources: NVD: CVE-2020-12817 // VULHUB: VHN-165533

AFFECTED PRODUCTS

vendor:fortinetmodel:fortitesterscope:lteversion:3.7.0

Trust: 1.0

vendor:fortinetmodel:fortitesterscope:eqversion:3.8.0

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:eqversion:6.4.1

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:eqversion:6.2.5

Trust: 1.0

vendor:fortinetmodel:fortianalyzerscope:eqversion:6.4.0

Trust: 1.0

sources: NVD: CVE-2020-12817

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-12817
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202009-1286
value: HIGH

Trust: 0.6

VULHUB: VHN-165533
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-12817
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-165533
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-12817
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:CWE-74

Trust: 0.1

sources: VULHUB: VHN-165533 // NVD: CVE-2020-12817

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

PATCH

title:Fortinet FortiAnalyzer Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129722

Trust: 0.6

sources: CNNVD: CNNVD-202009-1286

EXTERNAL IDS

db:NVDid:CVE-2020-12817

Trust: 1.7

db:AUSCERTid:ESB-2020.3228

Trust: 0.6

db:CNNVDid:CNNVD-202009-1286

Trust: 0.6

db:CNVDid:CNVD-2020-53812

Trust: 0.1

db:VULHUBid:VHN-165533

Trust: 0.1

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-054

Trust: 1.7

url:https://vigilance.fr/vulnerability/fortinet-fortianalyzer-cross-site-scripting-via-storage-connectors-33381

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3228/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-12817

Trust: 0.6

sources: VULHUB: VHN-165533 // CNNVD: CNNVD-202009-1286 // NVD: CVE-2020-12817

SOURCES

db:VULHUBid:VHN-165533
db:CNNVDid:CNNVD-202009-1286
db:NVDid:CVE-2020-12817

LAST UPDATE DATE

2024-08-14T14:56:15.924000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-165533date:2021-07-21T00:00:00
db:CNNVDid:CNNVD-202009-1286date:2020-10-22T00:00:00
db:NVDid:CVE-2020-12817date:2021-07-21T11:39:23.747

SOURCES RELEASE DATE

db:VULHUBid:VHN-165533date:2020-09-24T00:00:00
db:CNNVDid:CNNVD-202009-1286date:2020-09-22T00:00:00
db:NVDid:CVE-2020-12817date:2020-09-24T15:15:13.173