Details of VAR-202108-0674

ID

VAR-202108-0674

CVE

CVE-2021-32590

TITLE

FortiPortal In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-012064

DESCRIPTION

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests. FortiPortal for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2021-32590 // JVNDB: JVNDB-2021-012064 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392562 // VULMON: CVE-2021-32590

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiportal	scope:	lte	version:	4.2.4	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lte	version:	5.0.3	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lt	version:	5.3.6	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lte	version:	4.1.2	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lte	version:	3.2.2	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lt	version:	5.2.6	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lt	version:	6.0.5	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	5.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lte	version:	4.0.4	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	5.3.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	lte	version:	5.1.2	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	4.1.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	5.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiportal	scope:	gte	version:	5.1.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiportal	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiportal	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-012064 // NVD: CVE-2021-32590

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32590
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2021-32590
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-32590
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-275
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-392562
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-32590
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-32590
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-392562
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-32590
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2021-32590
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-32590
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-392562 // VULMON: CVE-2021-32590 // JVNDB: JVNDB-2021-012064 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-275 // NVD: CVE-2021-32590 // NVD: CVE-2021-32590

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-392562 // JVNDB: JVNDB-2021-012064 // NVD: CVE-2021-32590

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-275

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	FG-IR-21-084	url:	https://fortiguard.com/advisory/FG-IR-21-084	Trust: 0.8
title:	Fortinet FortiPortal SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158542	Trust: 0.6

sources: JVNDB: JVNDB-2021-012064 // CNNVD: CNNVD-202108-275

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32590	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-012064	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080312	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2613	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-275	Trust: 0.6
db:	VULHUB	id:	VHN-392562	Trust: 0.1
db:	VULMON	id:	CVE-2021-32590	Trust: 0.1

sources: VULHUB: VHN-392562 // VULMON: CVE-2021-32590 // JVNDB: JVNDB-2021-012064 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-275 // NVD: CVE-2021-32590

REFERENCES

url:	https://fortiguard.com/advisory/fg-ir-21-084	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32590	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2613	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080312	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-392562 // VULMON: CVE-2021-32590 // JVNDB: JVNDB-2021-012064 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-275 // NVD: CVE-2021-32590

SOURCES

db:	VULHUB	id:	VHN-392562
db:	VULMON	id:	CVE-2021-32590
db:	JVNDB	id:	JVNDB-2021-012064
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-275
db:	NVD	id:	CVE-2021-32590

LAST UPDATE DATE

2024-08-14T12:59:52.005000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-392562	date:	2021-08-11T00:00:00
db:	VULMON	id:	CVE-2021-32590	date:	2021-08-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-012064	date:	2022-08-23T04:30:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-275	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-32590	date:	2021-08-11T00:11:43.947

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-392562	date:	2021-08-04T00:00:00
db:	VULMON	id:	CVE-2021-32590	date:	2021-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-012064	date:	2022-08-23T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-275	date:	2021-08-03T00:00:00
db:	NVD	id:	CVE-2021-32590	date:	2021-08-04T14:15:08.200