Details of VAR-202310-2391

ID

VAR-202310-2391

CVE

CVE-2023-41836

TITLE

fortinet's FortiSandbox Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-015353

DESCRIPTION

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests. fortinet's FortiSandbox Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2023-41836 // JVNDB: JVNDB-2023-015353

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.0.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	eq	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.1.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	4.2.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.2.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	4.0.4	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.2.0 to 3.2.4	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.0.4 to 3.0.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.1.0 to 3.1.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 to 4.2.4	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.0.0 to 4.0.4	Trust: 0.8

sources: JVNDB: JVNDB-2023-015353 // NVD: CVE-2023-41836

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-41836
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2023-41836
value:	LOW
Trust: 1.0
NVD:	CVE-2023-41836
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2023-41836
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2023-41836
baseSeverity:	LOW
baseScore:	3.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2023-41836
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-015353 // NVD: CVE-2023-41836 // NVD: CVE-2023-41836

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-015353 // NVD: CVE-2023-41836

PATCH

title:

FG-IR-23-215

url:

https://www.fortiguard.com/psirt/FG-IR-23-215

Trust: 0.8

sources: JVNDB: JVNDB-2023-015353

EXTERNAL IDS

db:	NVD	id:	CVE-2023-41836	Trust: 2.6
db:	JVNDB	id:	JVNDB-2023-015353	Trust: 0.8

sources: JVNDB: JVNDB-2023-015353 // NVD: CVE-2023-41836

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-23-215	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2023-41836	Trust: 0.8

sources: JVNDB: JVNDB-2023-015353 // NVD: CVE-2023-41836

SOURCES

db:	JVNDB	id:	JVNDB-2023-015353
db:	NVD	id:	CVE-2023-41836

LAST UPDATE DATE

2024-08-14T14:54:27.763000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-015353	date:	2023-12-27T04:35:00
db:	NVD	id:	CVE-2023-41836	date:	2023-11-07T04:21:06.457

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-015353	date:	2023-12-27T00:00:00
db:	NVD	id:	CVE-2023-41836	date:	2023-10-13T15:15:44.183