cvelistv5 - cve-2018-9186

CVE-2018-9186 (GCVE-0-2018-9186)

Vulnerability from cvelistv5 – Published: 2018-05-31 22:00 – Updated: 2024-10-25 14:09

Summary

Severity ?

No CVSS data available.

CWE

Execute unauthorized code or commands

Assigner

fortinet

References

URL

Tags

	https://fortiguard.com/advisory/FG-IR-18-059	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/104371	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Fortinet, Inc.	FortiAuthenticator	Affected: below 5.3.0 versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:17:51.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://fortiguard.com/advisory/FG-IR-18-059"
          },
          {
            "name": "104371",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104371"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2018-9186",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T14:00:20.619763Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-25T14:09:37.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FortiAuthenticator",
          "vendor": "Fortinet, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "below 5.3.0 versions"
            }
          ]
        }
      ],
      "datePublic": "2018-05-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Execute unauthorized code or commands",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-21T21:12:49",
        "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "shortName": "fortinet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://fortiguard.com/advisory/FG-IR-18-059"
        },
        {
          "name": "104371",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104371"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@fortinet.com",
          "DATE_PUBLIC": "2018-05-29T00:00:00",
          "ID": "CVE-2018-9186",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "FortiAuthenticator",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "below 5.3.0 versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Fortinet, Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Execute unauthorized code or commands"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://fortiguard.com/advisory/FG-IR-18-059",
              "refsource": "CONFIRM",
              "url": "https://fortiguard.com/advisory/FG-IR-18-059"
            },
            {
              "name": "104371",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104371"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
    "assignerShortName": "fortinet",
    "cveId": "CVE-2018-9186",
    "datePublished": "2018-05-31T22:00:00Z",
    "dateReserved": "2018-04-02T00:00:00",
    "dateUpdated": "2024-10-25T14:09:37.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.0.0\", \"versionEndExcluding\": \"5.3.0\", \"matchCriteriaId\": \"189DF9FD-8CC2-4362-873D-0A858DF08A33\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \\\"CSRF validation failure\\\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad Cross-Site Scripting (XSS) en Fortinet FortiAuthenticator, desde la versi\\u00f3n 4.0.0 hasta antes de la 5.3.0, en la p\\u00e1gina \\\"CSRF validation failure\\\", permite que un atacante ejecute c\\u00f3digo script no autorizado mediante la inyecci\\u00f3n de scripts maliciosos en la cabecera referer HTTP.\"}]",
      "id": "CVE-2018-9186",
      "lastModified": "2024-11-21T04:15:08.570",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2018-05-31T22:29:00.253",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/104371\", \"source\": \"psirt@fortinet.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"source\": \"psirt@fortinet.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/104371\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@fortinet.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-9186\",\"sourceIdentifier\":\"psirt@fortinet.com\",\"published\":\"2018-05-31T22:29:00.253\",\"lastModified\":\"2024-11-21T04:15:08.570\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \\\"CSRF validation failure\\\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad Cross-Site Scripting (XSS) en Fortinet FortiAuthenticator, desde la versi\u00f3n 4.0.0 hasta antes de la 5.3.0, en la p\u00e1gina \\\"CSRF validation failure\\\", permite que un atacante ejecute c\u00f3digo script no autorizado mediante la inyecci\u00f3n de scripts maliciosos en la cabecera referer HTTP.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"5.3.0\",\"matchCriteriaId\":\"189DF9FD-8CC2-4362-873D-0A858DF08A33\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/104371\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://fortiguard.com/advisory/FG-IR-18-059\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/104371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://fortiguard.com/advisory/FG-IR-18-059\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"http://www.securityfocus.com/bid/104371\", \"name\": \"104371\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T07:17:51.677Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2018-9186\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-23T14:00:20.619763Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-23T14:01:34.939Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Fortinet, Inc.\", \"product\": \"FortiAuthenticator\", \"versions\": [{\"status\": \"affected\", \"version\": \"below 5.3.0 versions\"}]}], \"datePublic\": \"2018-05-29T00:00:00\", \"references\": [{\"url\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"http://www.securityfocus.com/bid/104371\", \"name\": \"104371\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \\\"CSRF validation failure\\\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Execute unauthorized code or commands\"}]}], \"providerMetadata\": {\"orgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"shortName\": \"fortinet\", \"dateUpdated\": \"2019-03-21T21:12:49\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"below 5.3.0 versions\"}]}, \"product_name\": \"FortiAuthenticator\"}]}, \"vendor_name\": \"Fortinet, Inc.\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"name\": \"https://fortiguard.com/advisory/FG-IR-18-059\", \"refsource\": \"CONFIRM\"}, {\"url\": \"http://www.securityfocus.com/bid/104371\", \"name\": \"104371\", \"refsource\": \"BID\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \\\"CSRF validation failure\\\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Execute unauthorized code or commands\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2018-9186\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"psirt@fortinet.com\", \"DATE_PUBLIC\": \"2018-05-29T00:00:00\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2018-9186\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-25T14:09:37.923Z\", \"dateReserved\": \"2018-04-02T00:00:00\", \"assignerOrgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"datePublished\": \"2018-05-31T22:00:00Z\", \"assignerShortName\": \"fortinet\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2018-10945

Vulnerability from cnvd - Published: 2018-06-05

Title

Fortinet FortiAuthenticator跨站脚本漏洞（CNVD-2018-10945）

Description

Fortinet FortiAuthenticator是用户身份管理设备，可通过简化和集中用户身份信息的管理和存储增强企业安全性。 5.3.0之前的Fortinet FortiAuthenticator中的“CSRF验证失败”页面存在跨站脚本漏洞。攻击者可通过将恶意脚本注入HTTP referer header利用该漏洞执行未经授权的脚本代码。

Severity

中

Patch Name

Fortinet FortiAuthenticator跨站脚本漏洞（CNVD-2018-10945）的补丁

Patch Description

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://fortiguard.com/psirt/FG-IR-18-059

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-9186

Impacted products

Name
Fortinet FortiAuthenticator <5.3.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-9186"
    }
  },
  "description": "Fortinet FortiAuthenticator\u662f\u7528\u6237\u8eab\u4efd\u7ba1\u7406\u8bbe\u5907\uff0c\u53ef\u901a\u8fc7\u7b80\u5316\u548c\u96c6\u4e2d\u7528\u6237\u8eab\u4efd\u4fe1\u606f\u7684\u7ba1\u7406\u548c\u5b58\u50a8\u589e\u5f3a\u4f01\u4e1a\u5b89\u5168\u6027\u3002\r\n\r\n5.3.0\u4e4b\u524d\u7684Fortinet FortiAuthenticator\u4e2d\u7684\u201cCSRF\u9a8c\u8bc1\u5931\u8d25\u201d\u9875\u9762\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165HTTP referer header\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "Unknow",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://fortiguard.com/psirt/FG-IR-18-059",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10945",
  "openTime": "2018-06-05",
  "patchDescription": "Fortinet FortiAuthenticator\u662f\u7528\u6237\u8eab\u4efd\u7ba1\u7406\u8bbe\u5907\uff0c\u53ef\u901a\u8fc7\u7b80\u5316\u548c\u96c6\u4e2d\u7528\u6237\u8eab\u4efd\u4fe1\u606f\u7684\u7ba1\u7406\u548c\u5b58\u50a8\u589e\u5f3a\u4f01\u4e1a\u5b89\u5168\u6027\u3002\r\n\r\n5.3.0\u4e4b\u524d\u7684Fortinet FortiAuthenticator\u4e2d\u7684\u201cCSRF\u9a8c\u8bc1\u5931\u8d25\u201d\u9875\u9762\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165HTTP referer header\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Fortinet FortiAuthenticator\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10945\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Fortinet FortiAuthenticator \u003c5.3.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-9186",
  "serverity": "\u4e2d",
  "submitTime": "2018-06-01",
  "title": "Fortinet FortiAuthenticator\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10945\uff09"
}

GHSA-46PC-6G7G-6HW8

Vulnerability from github – Published: 2022-05-14 01:07 – Updated: 2022-05-14 01:07

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-9186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-31T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.",
  "id": "GHSA-46pc-6g7g-6hw8",
  "modified": "2022-05-14T01:07:31Z",
  "published": "2022-05-14T01:07:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9186"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-18-059"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CERTFR-2018-AVI-260

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Fortinet FortAuthenticator. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Fortinet	N/A	FortAuthenticator versions antérieures à 5.3.0

References

Title

Publication Time

Tags

Bulletin de sécurité Fortinet du 29 mai 2018

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "FortAuthenticator versions ant\u00e9rieures \u00e0 5.3.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-9186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-9186"
    }
  ],
  "links": [],
  "reference": "CERTFR-2018-AVI-260",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-05-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Fortinet FortAuthenticator. Elle\npermet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0\ndistance (XSS).\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Fortinet FortAuthenticator",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet du 29 mai 2018",
      "url": "https://fortiguard.com/psirt/FG-IR-18-059"
    }
  ]
}

CERTFR-2018-AVI-260

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Fortinet FortAuthenticator. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Fortinet	N/A	FortAuthenticator versions antérieures à 5.3.0

References

Title

Publication Time

Tags

Bulletin de sécurité Fortinet du 29 mai 2018

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "FortAuthenticator versions ant\u00e9rieures \u00e0 5.3.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-9186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-9186"
    }
  ],
  "links": [],
  "reference": "CERTFR-2018-AVI-260",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-05-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Fortinet FortAuthenticator. Elle\npermet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0\ndistance (XSS).\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Fortinet FortAuthenticator",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet du 29 mai 2018",
      "url": "https://fortiguard.com/psirt/FG-IR-18-059"
    }
  ]
}

GSD-2018-9186

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-9186

Aliases

CVE-2018-9186

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-9186",
    "description": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.",
    "id": "GSD-2018-9186"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-9186"
      ],
      "details": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.",
      "id": "GSD-2018-9186",
      "modified": "2023-12-13T01:22:33.329282Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@fortinet.com",
        "DATE_PUBLIC": "2018-05-29T00:00:00",
        "ID": "CVE-2018-9186",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "FortiAuthenticator",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "below 5.3.0 versions"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Fortinet, Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Execute unauthorized code or commands"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://fortiguard.com/advisory/FG-IR-18-059",
            "refsource": "CONFIRM",
            "url": "https://fortiguard.com/advisory/FG-IR-18-059"
          },
          {
            "name": "104371",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/104371"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.3.0",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@fortinet.com",
          "ID": "CVE-2018-9186"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://fortiguard.com/advisory/FG-IR-18-059",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-18-059"
            },
            {
              "name": "104371",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/104371"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-04-22T18:32Z",
      "publishedDate": "2018-05-31T22:29Z"
    }
  }
}

FKIE_CVE-2018-9186

Vulnerability from fkie_nvd - Published: 2018-05-31 22:29 - Updated: 2024-11-21 04:15

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
psirt@fortinet.com	http://www.securityfocus.com/bid/104371	Third Party Advisory, VDB Entry
psirt@fortinet.com	https://fortiguard.com/advisory/FG-IR-18-059	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/104371	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://fortiguard.com/advisory/FG-IR-18-059	Vendor Advisory

Impacted products

	Vendor	Product	Version
	fortinet	fortiauthenticator	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "189DF9FD-8CC2-4362-873D-0A858DF08A33",
              "versionEndExcluding": "5.3.0",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad Cross-Site Scripting (XSS) en Fortinet FortiAuthenticator, desde la versi\u00f3n 4.0.0 hasta antes de la 5.3.0, en la p\u00e1gina \"CSRF validation failure\", permite que un atacante ejecute c\u00f3digo script no autorizado mediante la inyecci\u00f3n de scripts maliciosos en la cabecera referer HTTP."
    }
  ],
  "id": "CVE-2018-9186",
  "lastModified": "2024-11-21T04:15:08.570",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-05-31T22:29:00.253",
  "references": [
    {
      "source": "psirt@fortinet.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104371"
    },
    {
      "source": "psirt@fortinet.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://fortiguard.com/advisory/FG-IR-18-059"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104371"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://fortiguard.com/advisory/FG-IR-18-059"
    }
  ],
  "sourceIdentifier": "psirt@fortinet.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201805-1018

Vulnerability from variot - Updated: 2023-12-18 13:38

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. Fortinet FortiAuthenticator Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortinetFortiAuthenticator is a user identity management device that enhances enterprise security by simplifying and centralizing the management and storage of user identity information. A cross-site scripting vulnerability exists in the \"CSRF Authentication Failed\" page in FortinetFortiAuthenticator prior to 5.3.0. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to FortiAuthenticator 5.3.0 are vulnerable. Fortinet FortiAuthenticator is a series of security authentication software from Fortinet, which can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201805-1018",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "fortiauthenticator",
        "scope": "lt",
        "trust": 2.4,
        "vendor": "fortinet",
        "version": "5.3.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "4.0.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "fortinet",
        "version": "3.0.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.2"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.1"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "4.3"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "4.2"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "3.2.1"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "3.2"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "3.1"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "3.0.2"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "3.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "2.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "1.0"
      },
      {
        "model": "fortiauthenticator",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.3"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "BID",
        "id": "104371"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.3.0",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Arun Narayanan",
    "sources": [
      {
        "db": "BID",
        "id": "104371"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2018-9186",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-9186",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-10945",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-139218",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 6.1,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2018-9186",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-9186",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-10945",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-1164",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-139218",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. Fortinet FortiAuthenticator Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortinetFortiAuthenticator is a user identity management device that enhances enterprise security by simplifying and centralizing the management and storage of user identity information. A cross-site scripting vulnerability exists in the \\\"CSRF Authentication Failed\\\" page in FortinetFortiAuthenticator prior to 5.3.0. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. \nVersions prior to FortiAuthenticator 5.3.0 are vulnerable. Fortinet FortiAuthenticator is a series of security authentication software from Fortinet, which can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "BID",
        "id": "104371"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      }
    ],
    "trust": 2.52
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-9186",
        "trust": 3.4
      },
      {
        "db": "BID",
        "id": "104371",
        "trust": 2.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "db": "BID",
        "id": "104371"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "id": "VAR-201805-1018",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      }
    ],
    "trust": 0.06999999999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:38:36.542000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "FG-IR-18-059",
        "trust": 0.8,
        "url": "https://fortiguard.com/psirt/fg-ir-18-059"
      },
      {
        "title": "Patch for FortinetFortiAuthenticator Cross-Site Scripting Vulnerability (CNVD-2018-10945)",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/131119"
      },
      {
        "title": "Fortinet FortiAuthenticator Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81182"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/104371"
      },
      {
        "trust": 1.7,
        "url": "https://fortiguard.com/advisory/fg-ir-18-059"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-9186"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9186"
      },
      {
        "trust": 0.3,
        "url": "http://www.fortinet.com/"
      },
      {
        "trust": 0.3,
        "url": "https://fortiguard.com/psirt/fg-ir-18-059"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "db": "BID",
        "id": "104371"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "db": "BID",
        "id": "104371"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "date": "2018-05-31T00:00:00",
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "date": "2018-05-31T00:00:00",
        "db": "BID",
        "id": "104371"
      },
      {
        "date": "2018-07-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "date": "2018-05-31T22:29:00.253000",
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "date": "2018-05-31T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10945"
      },
      {
        "date": "2019-04-22T00:00:00",
        "db": "VULHUB",
        "id": "VHN-139218"
      },
      {
        "date": "2018-05-31T00:00:00",
        "db": "BID",
        "id": "104371"
      },
      {
        "date": "2018-07-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      },
      {
        "date": "2019-04-22T18:32:14.473000",
        "db": "NVD",
        "id": "CVE-2018-9186"
      },
      {
        "date": "2019-04-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fortinet FortiAuthenticator Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005463"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-1164"
      }
    ],
    "trust": 0.6
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-9186 (GCVE-0-2018-9186)

CNVD-2018-10945

GHSA-46PC-6G7G-6HW8

CERTFR-2018-AVI-260

Solution

CERTFR-2018-AVI-260

Solution

GSD-2018-9186

FKIE_CVE-2018-9186

VAR-201805-1018

Tags

Sightings

Nomenclature