CVE-2014-0331 - OpenCVE

Cross-site scripting (XSS) vulnerability in the web administration interface in FortiADC with firmware before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the locale parameter to gui_partA/.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Fortinet	Fortiadc-600e Fortiadc-1500d Fortiadc-1000e Fortiadc-4000d Fortiadc Firmware Fortiadc-400e Fortiadc-300e Fortiadc-200d Fortiadc-2000d

Configuration 1 [-]

AND

cpe:2.3:o:fortinet:fortiadc_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:fortinet:fortiadc-1000e:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-1500d:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-2000d:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-200d:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-300e:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-4000d:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-400e:-:::::::*
	cpe:2.3:h:fortinet:fortiadc-600e:-:::::::*

References

Link	Resource
http://seclists.org/fulldisclosure/2014/Apr/53	Exploit
http://www.fortiguard.com/advisory/FG-IR-14-004	Vendor Advisory
http://www.kb.cert.org/vuls/id/667340
http://www.securityfocus.com/bid/66642
http://www.securitytracker.com/id/1030018

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2014-04-10T14:00:00

Updated: 2017-12-15T17:57:01

Reserved: 2013-12-05T00:00:00

Link: CVE-2014-0331

JSON object: View

NVD Information

Status : Modified

Published: 2014-04-10T20:29:20.440

Modified: 2017-12-16T02:29:03.793

Link: CVE-2014-0331

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-03T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the web administration interface in FortiADC with firmware before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the locale parameter to gui_partA/."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-15T17:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#667340", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/667340"}, {"name": "1030018", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1030018"}, {"name": "66642", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/66642"}, {"name": "20140403 XSS Reflected vulnerabilities in OS of FortiADC v3.2 (CVE-2014-0331)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Apr/53"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.fortiguard.com/advisory/FG-IR-14-004"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2014-0331", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the web administration interface in FortiADC with firmware before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the locale parameter to gui_partA/."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#667340", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/667340"}, {"name": "1030018", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1030018"}, {"name": "66642", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66642"}, {"name": "20140403 XSS Reflected vulnerabilities in OS of FortiADC v3.2 (CVE-2014-0331)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Apr/53"}, {"name": "http://www.fortiguard.com/advisory/FG-IR-14-004", "refsource": "CONFIRM", "url": "http://www.fortiguard.com/advisory/FG-IR-14-004"}]}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2014-0331", "datePublished": "2014-04-10T14:00:00", "dateReserved": "2013-12-05T00:00:00", "dateUpdated": "2017-12-15T17:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortiadc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B37EB14C-8AE2-4455-BF4F-9083BF5C263E", "versionEndIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fortinet:fortiadc-1000e:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3C04FD0-F54D-461C-AB13-80557B838FB6", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-1500d:-:*:*:*:*:*:*:*", "matchCriteriaId": "274CBD0B-E479-46FA-B49E-98C40D4F7FEE", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-2000d:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C1A4E26-7A8C-4263-A68A-BFEBCF9B7AE5", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-200d:-:*:*:*:*:*:*:*", "matchCriteriaId": "6ED99A22-40FD-4B45-8BD9-1E10D4311009", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-300e:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7E75BFB-3DE5-4DB5-9C90-3AB9D22EBC08", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-4000d:-:*:*:*:*:*:*:*", "matchCriteriaId": "564E4319-6E2C-473C-B591-3AE69E8FABCF", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-400e:-:*:*:*:*:*:*:*", "matchCriteriaId": "B1A8EE3A-31E1-44B5-AA2C-D6F2989C4B50", "vulnerable": true}, {"criteria": "cpe:2.3:h:fortinet:fortiadc-600e:-:*:*:*:*:*:*:*", "matchCriteriaId": "94593E5C-BCBC-4368-89E2-0372A17D9296", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the web administration interface in FortiADC with firmware before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the locale parameter to gui_partA/."}, {"lang": "es", "value": "Vulnerabilidad de XSS en la interfaz de administraci\u00f3n de web en FortiADC con firmware anterior a 3.2.1 permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro locale hacia gui_partA/."}], "id": "CVE-2014-0331", "lastModified": "2017-12-16T02:29:03.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-04-10T20:29:20.440", "references": [{"source": "cret@cert.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Apr/53"}, {"source": "cret@cert.org", "tags": ["Vendor Advisory"], "url": "http://www.fortiguard.com/advisory/FG-IR-14-004"}, {"source": "cret@cert.org", "url": "http://www.kb.cert.org/vuls/id/667340"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/66642"}, {"source": "cret@cert.org", "url": "http://www.securitytracker.com/id/1030018"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}