ID

VAR-202112-0331


CVE

CVE-2021-41015


TITLE

Fortinet FortiWeb  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-015883

DESCRIPTION

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler. Fortinet FortiWeb Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

Trust: 1.71

sources: NVD: CVE-2021-41015 // JVNDB: JVNDB-2021-015883 // VULHUB: VHN-402288

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.1

Trust: 1.0

vendor:fortinetmodel:fortiwebscope:eqversion:6.4.0

Trust: 1.0

vendor:フォーティネットmodel:fortiwebscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiwebscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-015883 // NVD: CVE-2021-41015

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41015
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-41015
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-41015
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202112-642
value: MEDIUM

Trust: 0.6

VULHUB: VHN-402288
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41015
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-402288
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-41015
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-015883
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-402288 // JVNDB: JVNDB-2021-015883 // CNNVD: CNNVD-202112-642 // NVD: CVE-2021-41015 // NVD: CVE-2021-41015

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-402288 // JVNDB: JVNDB-2021-015883 // NVD: CVE-2021-41015

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-642

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202112-642

PATCH

title:FG-IR-21-139url:https://www.fortiguard.com/psirt/FG-IR-21-139

Trust: 0.8

title:Fortinet FortiWeb Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=174404

Trust: 0.6

sources: JVNDB: JVNDB-2021-015883 // CNNVD: CNNVD-202112-642

EXTERNAL IDS

db:NVDid:CVE-2021-41015

Trust: 3.3

db:JVNDBid:JVNDB-2021-015883

Trust: 0.8

db:CNNVDid:CNNVD-202112-642

Trust: 0.6

db:VULHUBid:VHN-402288

Trust: 0.1

sources: VULHUB: VHN-402288 // JVNDB: JVNDB-2021-015883 // CNNVD: CNNVD-202112-642 // NVD: CVE-2021-41015

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-139

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-41015

Trust: 1.4

sources: VULHUB: VHN-402288 // JVNDB: JVNDB-2021-015883 // CNNVD: CNNVD-202112-642 // NVD: CVE-2021-41015

SOURCES

db:VULHUBid:VHN-402288
db:JVNDBid:JVNDB-2021-015883
db:CNNVDid:CNNVD-202112-642
db:NVDid:CVE-2021-41015

LAST UPDATE DATE

2024-08-14T14:02:55.024000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-402288date:2021-12-09T00:00:00
db:JVNDBid:JVNDB-2021-015883date:2022-12-01T07:33:00
db:CNNVDid:CNNVD-202112-642date:2021-12-16T00:00:00
db:NVDid:CVE-2021-41015date:2021-12-09T19:52:04.380

SOURCES RELEASE DATE

db:VULHUBid:VHN-402288date:2021-12-08T00:00:00
db:JVNDBid:JVNDB-2021-015883date:2022-12-01T00:00:00
db:CNNVDid:CNNVD-202112-642date:2021-12-08T00:00:00
db:NVDid:CVE-2021-41015date:2021-12-08T13:15:07.903