cvelistv5 - CVE-2014-3115

Source	URL	Tags
cve@mitre.org	http://seclists.org/fulldisclosure/2014/May/30
cve@mitre.org	http://www.fortiguard.com/advisory/FG-IR-14-013/	Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/902790	US Government Resource
cve@mitre.org	http://www.securitytracker.com/id/1030200

Vendor	Product
n/a	n/a

var-201405-0423

Vulnerability from variot

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors. Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery (CSRF) vulnerability. (CWE-352). Fortinet FortiWeb is prone to multiple cross-site request-forgery vulnerabilities because it does not properly validate HTTP requests. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Fortinet FortiWeb 5.1.x and prior versions are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content.

Impact

A remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL.

Affected Products

FortiWeb 5.1.x and lower.

Solutions

Upgrade to FortiWeb 5.2.0 or higher.

Acknowledgement

This vulnerability was separately reported by both William Costa and Enrique Nissim

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201405-0423",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "fortiweb",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fortinet",
        "version": "5.1.2"
      },
      {
        "model": "fortiweb",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fortinet",
        "version": "5.1.3"
      },
      {
        "model": "fortiweb",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fortinet",
        "version": "5.1.0"
      },
      {
        "model": "fortiweb",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fortinet",
        "version": "5.1.1"
      },
      {
        "model": "fortiweb",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "5.1.4"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "fortinet",
        "version": null
      },
      {
        "model": "fortiweb",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "fortinet",
        "version": "5.1"
      },
      {
        "model": "fortiweb",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "fortinet",
        "version": "5.1.4"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.1.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "William Costa, and Enrique Nissim",
    "sources": [
      {
        "db": "BID",
        "id": "67235"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2014-3115",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "LOW",
            "baseScore": 5.8,
            "collateralDamagePotential": "LOW",
            "confidentialityImpact": "PARTIAL",
            "confidentialityRequirement": "MEDIUM",
            "enviromentalScore": 1.3,
            "exploitability": "PROOF-OF-CONCEPT",
            "exploitabilityScore": 8.6,
            "id": "CVE-2014-3115",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "integrityRequirement": "MEDIUM",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "remediationLevel": "OFFICIAL FIX",
            "reportConfidence": "CONFIRMED",
            "severity": "MEDIUM",
            "targetDistribution": "LOW",
            "trust": 0.8,
            "userInterationRequired": null,
            "vector_string": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "IPA",
            "availabilityImpact": "None",
            "baseScore": 5.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2014-002405",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-71054",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULMON",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2014-3115",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "MEDIUM",
            "trust": 0.1,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2014-3115",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "IPA",
            "id": "JVNDB-2014-002405",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201405-192",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-71054",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2014-3115",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors. Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery (CSRF) vulnerability. (CWE-352). Fortinet FortiWeb is prone to multiple cross-site request-forgery vulnerabilities because it does not properly validate HTTP requests. \nExploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. \nFortinet FortiWeb 5.1.x and prior versions are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content. \n\nImpact\n\nA remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL. \n\nAffected Products\n\nFortiWeb 5.1.x and lower. \n\nSolutions\n\nUpgrade to FortiWeb 5.2.0 or higher. \n\nAcknowledgement\n\nThis vulnerability was separately reported by both William Costa and Enrique Nissim",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      },
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "BID",
        "id": "67235"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "db": "PACKETSTORM",
        "id": "126543"
      }
    ],
    "trust": 2.88
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-71054",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-3115",
        "trust": 3.8
      },
      {
        "db": "CERT/CC",
        "id": "VU#902790",
        "trust": 2.8
      },
      {
        "db": "SECTRACK",
        "id": "1030200",
        "trust": 1.2
      },
      {
        "db": "JVN",
        "id": "JVNVU99180587",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192",
        "trust": 0.7
      },
      {
        "db": "BID",
        "id": "67235",
        "trust": 0.4
      },
      {
        "db": "PACKETSTORM",
        "id": "126543",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "db": "BID",
        "id": "67235"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "PACKETSTORM",
        "id": "126543"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "id": "VAR-201405-0423",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-02-13T23:00:39.387000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "FortiWeb Cross-Site Request Forgery Vulnerability",
        "trust": 0.8,
        "url": "http://www.fortiguard.com/advisory/fg-ir-14-013/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-352",
        "trust": 2.7
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "http://www.fortiguard.com/advisory/fg-ir-14-013/"
      },
      {
        "trust": 2.0,
        "url": "http://www.kb.cert.org/vuls/id/902790"
      },
      {
        "trust": 1.2,
        "url": "http://seclists.org/fulldisclosure/2014/may/30"
      },
      {
        "trust": 1.2,
        "url": "http://www.securitytracker.com/id/1030200"
      },
      {
        "trust": 0.9,
        "url": "http://cwe.mitre.org/data/definitions/352.html"
      },
      {
        "trust": 0.8,
        "url": "http://www.fortinet.com/products/fortiweb/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3115"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu99180587/"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3115"
      },
      {
        "trust": 0.3,
        "url": "http://www.fortinet.com/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3115"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "db": "BID",
        "id": "67235"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "PACKETSTORM",
        "id": "126543"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "db": "BID",
        "id": "67235"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "db": "PACKETSTORM",
        "id": "126543"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-05-07T00:00:00",
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "date": "2014-05-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "date": "2014-05-08T00:00:00",
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "date": "2014-05-02T00:00:00",
        "db": "BID",
        "id": "67235"
      },
      {
        "date": "2014-05-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "date": "2014-05-07T19:32:22",
        "db": "PACKETSTORM",
        "id": "126543"
      },
      {
        "date": "2014-05-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "date": "2014-05-08T14:29:14.830000",
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-05-07T00:00:00",
        "db": "CERT/CC",
        "id": "VU#902790"
      },
      {
        "date": "2015-08-01T00:00:00",
        "db": "VULHUB",
        "id": "VHN-71054"
      },
      {
        "date": "2015-08-01T00:00:00",
        "db": "VULMON",
        "id": "CVE-2014-3115"
      },
      {
        "date": "2014-05-08T01:11:00",
        "db": "BID",
        "id": "67235"
      },
      {
        "date": "2014-05-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-002405"
      },
      {
        "date": "2014-05-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      },
      {
        "date": "2015-08-01T01:37:30.260000",
        "db": "NVD",
        "id": "CVE-2014-3115"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#902790"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "cross-site request forgery",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201405-192"
      }
    ],
    "trust": 0.6
  }
}

gsd-2014-3115

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.

Aliases

CVE-2014-3115

Aliases

CVE-2014-3115

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-3115",
    "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.",
    "id": "GSD-2014-3115"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-3115"
      ],
      "details": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.",
      "id": "GSD-2014-3115",
      "modified": "2023-12-13T01:22:53.476224Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2014-3115",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.fortiguard.com/advisory/FG-IR-14-013/",
            "refsource": "CONFIRM",
            "url": "http://www.fortiguard.com/advisory/FG-IR-14-013/"
          },
          {
            "name": "VU#902790",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/902790"
          },
          {
            "name": "20140507 Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability (CVE-2014-3115)",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2014/May/30"
          },
          {
            "name": "1030200",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1030200"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:5.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.1.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-3115"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.fortiguard.com/advisory/FG-IR-14-013/",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.fortiguard.com/advisory/FG-IR-14-013/"
            },
            {
              "name": "VU#902790",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/902790"
            },
            {
              "name": "1030200",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1030200"
            },
            {
              "name": "20140507 Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability (CVE-2014-3115)",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2014/May/30"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2015-08-01T01:37Z",
      "publishedDate": "2014-05-08T14:29Z"
    }
  }
}

ghsa-7qxv-9465-xvp7

Vulnerability from github

Published

2022-05-17 04:10

Modified

2022-05-17 04:10

Details

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-3115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-05-08T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.",
  "id": "GHSA-7qxv-9465-xvp7",
  "modified": "2022-05-17T04:10:38Z",
  "published": "2022-05-17T04:10:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3115"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/May/30"
    },
    {
      "type": "WEB",
      "url": "http://www.fortiguard.com/advisory/FG-IR-14-013"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/902790"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1030200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Action not permitted

CVE-2014-3115

Vulnerability from cvelistv5

var-201405-0423

Vulnerability from variot

gsd-2014-3115

Vulnerability from gsd

ghsa-7qxv-9465-xvp7

Vulnerability from github

Tags