CVE-2017-14190 (GCVE-0-2017-14190)
Vulnerability from – Published: 2018-01-29 16:00 – Updated: 2024-10-25 14:10
VLAI?
Summary
A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests.
Severity ?
No CVSS data available.
CWE
- Execute unauthorized code or commands
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet, Inc. | FortiOS |
Affected:
5.6.0 to 5.6.2
Affected: 5.4.0 to 5.4.7 Affected: 5.2 and all earlier versions. |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:20:41.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1040284",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040284"
},
{
"name": "102779",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102779"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-262"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-14190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:23.608294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:10:07.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FortiOS",
"vendor": "Fortinet, Inc.",
"versions": [
{
"status": "affected",
"version": "5.6.0 to 5.6.2"
},
{
"status": "affected",
"version": "5.4.0 to 5.4.7"
},
{
"status": "affected",
"version": "5.2 and all earlier versions."
}
]
}
],
"datePublic": "2018-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted \"Host\" header in user HTTP requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-30T10:57:01",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "1040284",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040284"
},
{
"name": "102779",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102779"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-262"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"DATE_PUBLIC": "2018-01-22T00:00:00",
"ID": "CVE-2017-14190",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_value": "5.6.0 to 5.6.2"
},
{
"version_value": "5.4.0 to 5.4.7"
},
{
"version_value": "5.2 and all earlier versions."
}
]
}
}
]
},
"vendor_name": "Fortinet, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted \"Host\" header in user HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1040284",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040284"
},
{
"name": "102779",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102779"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-17-262",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-17-262"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2017-14190",
"datePublished": "2018-01-29T16:00:00Z",
"dateReserved": "2017-09-07T00:00:00",
"dateUpdated": "2024-10-25T14:10:07.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-9192 (GCVE-0-2018-9192)
Vulnerability from – Published: 2018-09-05 13:00 – Updated: 2024-10-25 14:08
VLAI?
Summary
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.
Severity ?
No CVSS data available.
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet, Inc. | FortiOS |
Affected:
6.0.1, 6.0.0
Affected: 5.4.9, 5.4.8, 5.4.7, 5.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:17:51.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-9192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:11.700164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:08:14.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FortiOS",
"vendor": "Fortinet, Inc.",
"versions": [
{
"status": "affected",
"version": "6.0.1, 6.0.0"
},
{
"status": "affected",
"version": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
],
"datePublic": "2018-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T12:57:01",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"DATE_PUBLIC": "2018-08-27T00:00:00",
"ID": "CVE-2018-9192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_value": "6.0.1, 6.0.0"
},
{
"version_value": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
}
]
},
"vendor_name": "Fortinet, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-17-302",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/144389"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-9192",
"datePublished": "2018-09-05T13:00:00Z",
"dateReserved": "2018-04-02T00:00:00",
"dateUpdated": "2024-10-25T14:08:14.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-9192 (GCVE-0-2018-9192)
Vulnerability from – Published: 2018-09-05 13:00 – Updated: 2024-10-25 14:08
VLAI?
Summary
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.
Severity ?
No CVSS data available.
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet, Inc. | FortiOS |
Affected:
6.0.1, 6.0.0
Affected: 5.4.9, 5.4.8, 5.4.7, 5.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:17:51.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-9192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:11.700164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:08:14.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FortiOS",
"vendor": "Fortinet, Inc.",
"versions": [
{
"status": "affected",
"version": "6.0.1, 6.0.0"
},
{
"status": "affected",
"version": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
],
"datePublic": "2018-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T12:57:01",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"DATE_PUBLIC": "2018-08-27T00:00:00",
"ID": "CVE-2018-9192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_value": "6.0.1, 6.0.0"
},
{
"version_value": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
}
]
},
"vendor_name": "Fortinet, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-17-302",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/144389"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-9192",
"datePublished": "2018-09-05T13:00:00Z",
"dateReserved": "2018-04-02T00:00:00",
"dateUpdated": "2024-10-25T14:08:14.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-9194 (GCVE-0-2018-9194)
Vulnerability from – Published: 2018-09-05 13:00 – Updated: 2024-10-25 14:08
VLAI?
Summary
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used.
Severity ?
No CVSS data available.
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet, Inc. | FortiOS |
Affected:
6.0.1, 6.0.0
Affected: 5.4.9, 5.4.8, 5.4.7, 5.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:17:51.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-9194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:10.318413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:08:00.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FortiOS",
"vendor": "Fortinet, Inc.",
"versions": [
{
"status": "affected",
"version": "6.0.1, 6.0.0"
},
{
"status": "affected",
"version": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
],
"datePublic": "2018-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T12:57:01",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"DATE_PUBLIC": "2018-08-27T00:00:00",
"ID": "CVE-2018-9194",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_value": "6.0.1, 6.0.0"
},
{
"version_value": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
}
]
},
"vendor_name": "Fortinet, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-17-302",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/144389"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-9194",
"datePublished": "2018-09-05T13:00:00Z",
"dateReserved": "2018-04-02T00:00:00",
"dateUpdated": "2024-10-25T14:08:00.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-9194 (GCVE-0-2018-9194)
Vulnerability from – Published: 2018-09-05 13:00 – Updated: 2024-10-25 14:08
VLAI?
Summary
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used.
Severity ?
No CVSS data available.
CWE
- Information disclosure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet, Inc. | FortiOS |
Affected:
6.0.1, 6.0.0
Affected: 5.4.9, 5.4.8, 5.4.7, 5.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:17:51.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-9194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:10.318413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:08:00.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FortiOS",
"vendor": "Fortinet, Inc.",
"versions": [
{
"status": "affected",
"version": "6.0.1, 6.0.0"
},
{
"status": "affected",
"version": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
],
"datePublic": "2018-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T12:57:01",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robotattack.org/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/144389"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"DATE_PUBLIC": "2018-08-27T00:00:00",
"ID": "CVE-2018-9194",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FortiOS",
"version": {
"version_data": [
{
"version_value": "6.0.1, 6.0.0"
},
{
"version_value": "5.4.9, 5.4.8, 5.4.7, 5.4.6"
}
]
}
}
]
},
"vendor_name": "Fortinet, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server\u0027s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://robotattack.org/",
"refsource": "MISC",
"url": "https://robotattack.org/"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-17-302",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-17-302"
},
{
"name": "VU#144389",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/144389"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-9194",
"datePublished": "2018-09-05T13:00:00Z",
"dateReserved": "2018-04-02T00:00:00",
"dateUpdated": "2024-10-25T14:08:00.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-13380 (GCVE-0-2018-13380)
Vulnerability from – Published: 2019-06-04 20:12 – Updated: 2024-10-25 14:06
VLAI?
Summary
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
Severity ?
4.7 (Medium)
CWE
- Execute unauthorized code or commands
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiOS and FortiProxy |
Affected:
FortiGate 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4.0 through 5.4.12, 5.2 and earlier and FortiProxy versions 2.0.0, 1.2.8 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:34.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-18-383"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-20-230"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-13380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:59:56.106542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:06:52.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiOS and FortiProxy",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiGate 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4.0 through 5.4.12, 5.2 and earlier and FortiProxy versions 2.0.0, 1.2.8 and earlier"
}
]
}
],
"datePublic": "2019-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T16:39:29",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-18-383"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-20-230"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2018-13380",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiOS and FortiProxy",
"version": {
"version_data": [
{
"version_value": "FortiGate 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4.0 through 5.4.12, 5.2 and earlier and FortiProxy versions 2.0.0, 1.2.8 and earlier"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 4.6,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Changed",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-18-383",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-18-383"
},
{
"name": "https://fortiguard.com/advisory/FG-IR-20-230",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-20-230"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-13380",
"datePublished": "2019-06-04T20:12:06",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-10-25T14:06:52.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-13384 (GCVE-0-2018-13384)
Vulnerability from – Published: 2019-06-04 20:38 – Updated: 2024-10-25 14:06
VLAI?
Summary
A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.
Severity ?
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiOS |
Affected:
FortiOS all versions below 6.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-002"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-13384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:59:54.584287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:06:40.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiOS",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiOS all versions below 6.0.5"
}
]
}
],
"datePublic": "2019-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T20:38:13",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-002"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2018-13384",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiOS",
"version": {
"version_data": [
{
"version_value": "FortiOS all versions below 6.0.5"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-19-002",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-19-002"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2018-13384",
"datePublished": "2019-06-04T20:38:13",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-10-25T14:06:40.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5587 (GCVE-0-2019-5587)
Vulnerability from – Published: 2019-06-04 21:35 – Updated: 2024-10-25 14:06
VLAI?
Summary
Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods.
Severity ?
No CVSS data available.
CWE
- Execute unauthorized code or commands
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiOS |
Affected:
FortiOS all versions below 6.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:50.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-017"
},
{
"name": "108628",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108628"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-5587",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:59:53.112644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:06:29.918Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiOS",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiOS all versions below 6.0.5"
}
]
}
],
"datePublic": "2019-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T11:06:05",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-017"
},
{
"name": "108628",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108628"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2019-5587",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiOS",
"version": {
"version_data": [
{
"version_value": "FortiOS all versions below 6.0.5"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-19-017",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-19-017"
},
{
"name": "108628",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108628"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2019-5587",
"datePublished": "2019-06-04T21:35:03",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-10-25T14:06:29.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5586 (GCVE-0-2019-5586)
Vulnerability from – Published: 2019-06-04 21:39 – Updated: 2024-10-25 14:06
VLAI?
Summary
A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "param" parameter of the error process HTTP requests.
Severity ?
No CVSS data available.
CWE
- Execute unauthorized code or commands
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiOS |
Affected:
FortiOS 5.2.0 to 6.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:50.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108610",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108610"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-5586",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:59:51.816805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:06:19.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiOS",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiOS 5.2.0 to 6.0.4"
}
]
}
],
"datePublic": "2019-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the \"param\" parameter of the error process HTTP requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T19:12:06",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108610",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108610"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2019-5586",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiOS",
"version": {
"version_data": [
{
"version_value": "FortiOS 5.2.0 to 6.0.4"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the \"param\" parameter of the error process HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-19-034",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108610",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108610"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2019-5586",
"datePublished": "2019-06-04T21:39:52",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-10-25T14:06:19.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5588 (GCVE-0-2019-5588)
Vulnerability from – Published: 2019-06-04 21:43 – Updated: 2024-10-25 14:06
VLAI?
Summary
A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "err" parameter of the error process HTTP requests.
Severity ?
No CVSS data available.
CWE
- Execute unauthorized code or commands
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | Fortinet FortiOS |
Affected:
FortiOS 6.0.0 to 6.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108618",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108618"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-5588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:59:50.619727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:06:08.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fortinet FortiOS",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiOS 6.0.0 to 6.0.4"
}
]
}
],
"datePublic": "2019-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the \"err\" parameter of the error process HTTP requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T07:06:03",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108618",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108618"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@fortinet.com",
"ID": "CVE-2019-5588",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fortinet FortiOS",
"version": {
"version_data": [
{
"version_value": "FortiOS 6.0.0 to 6.0.4"
}
]
}
}
]
},
"vendor_name": "Fortinet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the \"err\" parameter of the error process HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execute unauthorized code or commands"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.com/advisory/FG-IR-19-034",
"refsource": "CONFIRM",
"url": "https://fortiguard.com/advisory/FG-IR-19-034"
},
{
"name": "108618",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108618"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2019-5588",
"datePublished": "2019-06-04T21:43:15",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-10-25T14:06:08.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
displaying 141 - 150 organizations in total 268