Sign-up

ID

VAR-201704-0569


CVE

CVE-2017-3125


TITLE

FortiMail Unspecified cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003125

DESCRIPTION

An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker. Fortinet FortiMail is prone to a unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiMail 5.0.0 through 5.2.9 and 5.3.0 through 5.3.8 are vulnerable. Fortinet FortiMail is an email information security device from Fortinet, which provides information filtering engine, anti-spam and threat defense functions

Trust: 1.98

sources: NVD: CVE-2017-3125 // JVNDB: JVNDB-2017-003125 // BID: 97474 // VULHUB: VHN-111328

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimailscope:eqversion:5.3.8

Trust: 1.9

vendor:fortinetmodel:fortimailscope:eqversion:5.2.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.3

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.7

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.5

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.6

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.2.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:5.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.2.9

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.2

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.5

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.2.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.5

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.3

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.8

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.7

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.6

Trust: 1.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.5

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.9

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.6

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.3.4

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.4

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.7

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.2.8

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.1.6

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.10

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.0.0 to 5.2.9

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.3.0 to 5.3.8

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:5.1.4

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.1.1

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortimailscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortimailscope:neversion:5.3.9

Trust: 0.3

sources: BID: 97474 // JVNDB: JVNDB-2017-003125 // NVD: CVE-2017-3125 // CNNVD: CNNVD-201704-321

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-3125
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201704-321
value: MEDIUM

Trust: 0.6

VULHUB: VHN-111328
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.0

NVD: CVE-2017-3125
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-111328
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: CVE-2017-3125
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // NVD: CVE-2017-3125 // CNNVD: CNNVD-201704-321

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-111328 // JVNDB: JVNDB-2017-003125 // NVD: CVE-2017-3125

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201704-321

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-3125

PATCH
title:FG-IR-17-011url:http://fortiguard.com/psirt/fg-ir-17-011
Trust: 0.8
title:Fortinet FortiMail Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=69104
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-003125 // 
            
            
            
            CNNVD: CNNVD-201704-321

EXTERNAL IDS
db:NVDid:CVE-2017-3125
Trust: 2.8
db:BIDid:97474
Trust: 2.0
db:JVNDBid:JVNDB-2017-003125
Trust: 0.8
db:CNNVDid:CNNVD-201704-321
Trust: 0.7
db:VULHUBid:VHN-111328
Trust: 0.1
sources:
            
            
            VULHUB: VHN-111328 // 
            
            
            
            BID: 97474 // 
            
            
            
            JVNDB: JVNDB-2017-003125 // 
            
            
            
            NVD: CVE-2017-3125 // 
            
            
            
            CNNVD: CNNVD-201704-321

REFERENCES
url:http://fortiguard.com/psirt/fg-ir-17-011
Trust: 2.0
url:http://www.securityfocus.com/bid/97474
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3125
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3125
Trust: 0.8
url:http://www.fortinet.com/products/fortimail/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-111328 // 
            
            
            
            BID: 97474 // 
            
            
            
            JVNDB: JVNDB-2017-003125 // 
            
            
            
            NVD: CVE-2017-3125 // 
            
            
            
            CNNVD: CNNVD-201704-321

CREDITS
Ebrahim Hegazy
Trust: 0.9
sources:
            
            
            BID: 97474 // 
            
            
            
            CNNVD: CNNVD-201704-321

SOURCES
db:VULHUBid:VHN-111328
db:BIDid:97474
db:JVNDBid:JVNDB-2017-003125
db:NVDid:CVE-2017-3125
db:CNNVDid:CNNVD-201704-321

LAST UPDATE DATE
2023-12-18T12:51:20.307000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-111328date:2017-04-18T00:00:00
db:BIDid:97474date:2017-04-11T00:03:00
db:JVNDBid:JVNDB-2017-003125date:2017-05-16T00:00:00
db:NVDid:CVE-2017-3125date:2017-04-18T20:47:14.543
db:CNNVDid:CNNVD-201704-321date:2017-04-17T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-111328date:2017-04-12T00:00:00
db:BIDid:97474date:2017-04-04T00:00:00
db:JVNDBid:JVNDB-2017-003125date:2017-05-16T00:00:00
db:NVDid:CVE-2017-3125date:2017-04-12T15:59:00.160
db:CNNVDid:CNNVD-201704-321date:2017-04-07T00:00:00