Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.FORTIMANAGER_FG-IR-15-005.NASL
HistoryOct 21, 2015 - 12:00 a.m.

Fortinet FortiManager FortiOS 5.0.x >= 5.0.3 and < 5.0.11 Dataset Reports XSS

2015-10-2100:00:00
This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

70.1%

JSON

The Fortinet FortiManager FortiOS version running on the remote host is 5.x greater than or equal to 5.0.3 and prior to 5.0.11. It is, therefore, affected by a cross-site scripting vulnerability in the advanced dataset reports page due to a failure to properly sanitize user-supplied input to the ‘sql-query’ GET parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary script code or HTML in the user’s browser session. Note that this issue applies when the FortiAnalyzer feature is enabled.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(86471);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2015-3620");
  script_bugtraq_id(74646);

  script_name(english:"Fortinet FortiManager FortiOS 5.0.x >= 5.0.3 and < 5.0.11 Dataset Reports XSS");
  script_summary(english:"Checks the FortiOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Fortinet FortiManager FortiOS version running on the remote host
is 5.x greater than or equal to 5.0.3 and prior to 5.0.11. It is,
therefore, affected by a cross-site scripting vulnerability in the
advanced dataset reports page due to a failure to properly sanitize
user-supplied input to the 'sql-query' GET parameter before returning
it to users. An unauthenticated, remote attacker can exploit this, via
a crafted request, to execute arbitrary script code or HTML in the
user's browser session. Note that this issue applies when the
FortiAnalyzer feature is enabled.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2015/May/29");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiOS version 5.0.11.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortimanager_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("fortinet_version.nbin");
  script_require_keys("Host/Fortigate/model", "Host/Fortigate/version", "Host/Fortigate/build");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "FortiManager";
model = get_kb_item_or_exit("Host/Fortigate/model");
version = get_kb_item_or_exit("Host/Fortigate/version");
build = get_kb_item_or_exit("Host/Fortigate/build");
vuln = FALSE;

# Make sure device is FortiManager.
if (!preg(string:model, pattern:"fortimanager", icase:TRUE)) audit(AUDIT_HOST_NOT, "a " + app_name + " device");

if (version =~ "^5\.")
{
  fix = "5.0.11";
  min_ver_vuln = "5.0.3";

  # http://docs.fortinet.com/uploaded/files/2456/fortimanager-v5.0.11-release-notes.pdf
  fix_build = 377;
  # http://docs.fortinet.com/uploaded/files/1136/FortiManager-v5.0-Patch-Release-3-Release-Notes.pdf
  min_build_vuln = 200;
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

# If build number is available, this is the safest comparison.
# Otherwise compare version numbers.
if (build !~ "Unknown")
{
  if (int(build) < fix_build && int(build) >= min_build_vuln) vuln = TRUE;
}
else if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1 &&
         ver_compare(ver:version, fix:min_ver_vuln, strict:FALSE) >= 0)
  vuln = TRUE;

if (vuln)
{
  port = 0;
  set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
  if (report_verbosity > 0)
  {
    report =
      '\n  Model             : ' + model +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix +
      '\n';

    security_warning(extra:report, port:port);
  }
  else security_warning(port:port);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

Related

securityvulns 2
prion 1
cve 1
openvas 1
packetstorm 1
cvelist 1
nessus 1
nvd 1
vulnerlab 2
fortinet 1
securityvulns
securityvulns
Fortinet FortiAnalyzer &amp; FortiManager - Client Side Cross Site Scripting Vulnerability
2015-05-12 00:00:00
Fortinet FortiAnalyzer and FortiManager crossite scripting
2015-05-12 00:00:00
prion
prion
Cross site scripting
2015-05-12 19:59:00
cve
cve
CVE-2015-3620
2015-05-12 19:59:23
openvas
openvas
Fortinet FortiAnalyzer Reflected XSS Vulnerability (FG-IR-15-005)
2015-06-01 00:00:00
packetstorm
packetstorm
Fortinet FortiAnalyzer / FortiManager Cross Site Scripting
2015-05-05 00:00:00
cvelist
cvelist
CVE-2015-3620
2015-05-12 19:00:00
nessus
nessus
Fortinet FortiAnalyzer FortiOS 5.0.x < 5.0.11 / 5.2.x < 5.2.2 Dataset Reports XSS
2015-10-21 00:00:00
nvd
nvd
CVE-2015-3620
2015-05-12 19:59:23
vulnerlab
vulnerlab
Fortinet FortiAnalyzer&FortiManager - XSS Vulnerability
2015-05-05 00:00:00
Fortinet FortiAnalyzer&FortiManager - XSS Vulnerability
2015-05-05 00:00:00
fortinet
fortinet
Multiple products cross-site scripting vulnerabilities
2015-02-25 00:00:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

70.1%

JSON
Related for FORTIMANAGER_FG-IR-15-005.NASL
securityvulns2prion1cve1openvas1packetstorm1cvelist1nessus1nvd1vulnerlab2fortinet1