Details of VAR-202302-1327

ID

VAR-202302-1327

CVE

CVE-2023-22638

TITLE

fortinet's FortiNAC Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-004331

DESCRIPTION

Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, 8.3.7 and below may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests. fortinet's FortiNAC Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiNAC is a network access control solution developed by Fortinet. This product is mainly used for network access control and IoT security protection

Trust: 2.34

sources: NVD: CVE-2023-22638 // JVNDB: JVNDB-2023-004331 // CNNVD: CNNVD-202302-1424 // VULHUB: VHN-450600 // VULMON: CVE-2023-22638

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortinac	scope:	lte	version:	8.7.6	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	9.2.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.7.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	8.5.4	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	8.6.5	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	9.1.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	9.2.7	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	9.1.9	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	eq	version:	8.3.7	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	eq	version:	9.4.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.6.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.8.0	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	eq	version:	9.4.1	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	lte	version:	8.8.11	Trust: 1.0
vendor:	fortinet	model:	fortinac	scope:	gte	version:	8.5.0	Trust: 1.0
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	8.6.0 to 8.6.5	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	8.3.7	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	9.2.0 to 9.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	9.1.0 to 9.1.9	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	8.7.0 to 8.7.6	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	9.4.1	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	8.5.0 to 8.5.4	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	9.4.0	Trust: 0.8
vendor:	フォーティネット	model:	fortinac	scope:	eq	version:	8.8.0 to 8.8.11	Trust: 0.8

sources: JVNDB: JVNDB-2023-004331 // NVD: CVE-2023-22638

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-22638
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2023-22638
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-22638
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202302-1424
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-22638
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2023-22638
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-22638
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-004331 // CNNVD: CNNVD-202302-1424 // NVD: CVE-2023-22638 // NVD: CVE-2023-22638

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-450600 // JVNDB: JVNDB-2023-004331 // NVD: CVE-2023-22638

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1424

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202302-1424

PATCH

title:	FG-IR-22-260	url:	https://www.fortiguard.com/psirt/FG-IR-22-260	Trust: 0.8
title:	Fortinet FortiNAC Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226968	Trust: 0.6

sources: JVNDB: JVNDB-2023-004331 // CNNVD: CNNVD-202302-1424

EXTERNAL IDS

db:	NVD	id:	CVE-2023-22638	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-004331	Trust: 0.8
db:	AUSCERT	id:	ESB-2023.1053	Trust: 0.6
db:	CNNVD	id:	CNNVD-202302-1424	Trust: 0.6
db:	VULHUB	id:	VHN-450600	Trust: 0.1
db:	VULMON	id:	CVE-2023-22638	Trust: 0.1

sources: VULHUB: VHN-450600 // VULMON: CVE-2023-22638 // JVNDB: JVNDB-2023-004331 // CNNVD: CNNVD-202302-1424 // NVD: CVE-2023-22638

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-260	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-22638	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2023.1053	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2023-22638/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-450600 // VULMON: CVE-2023-22638 // JVNDB: JVNDB-2023-004331 // CNNVD: CNNVD-202302-1424 // NVD: CVE-2023-22638

SOURCES

db:	VULHUB	id:	VHN-450600
db:	VULMON	id:	CVE-2023-22638
db:	JVNDB	id:	JVNDB-2023-004331
db:	CNNVD	id:	CNNVD-202302-1424
db:	NVD	id:	CVE-2023-22638

LAST UPDATE DATE

2024-08-14T15:11:01.538000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-450600	date:	2023-02-27T00:00:00
db:	VULMON	id:	CVE-2023-22638	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004331	date:	2023-10-30T01:13:00
db:	CNNVD	id:	CNNVD-202302-1424	date:	2023-02-28T00:00:00
db:	NVD	id:	CVE-2023-22638	date:	2023-11-07T04:07:11.260

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-450600	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2023-22638	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004331	date:	2023-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202302-1424	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2023-22638	date:	2023-02-16T19:15:13.977