FortiOS Local Security Checks : Fortinet FortiWeb CSRF Vulnerability (FG-IR-14-013)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.105204

Category: FortiOS Local Security Checks

Title: Fortinet FortiWeb CSRF Vulnerability (FG-IR-14-013)

Summary: Fortinet FortiWeb is prone to multiple cross-site request; forgery (CSRF) vulnerabilities.

Description: Summary:
Fortinet FortiWeb is prone to multiple cross-site request
forgery (CSRF) vulnerabilities.

Vulnerability Insight:
Multiple CSRF vulnerabilities exist in the FortiWeb web
administration console due to lack of CSRF token protection. This could allow remote attackers to
perform administrative actions under specific conditions.

Vulnerability Impact:
A remote unauthenticated attacker may be able to trick a user
into making an unintentional request to the web administration interface, via link or JavaScript
hosted on a malicious web page. This forged request may be treated as authentic and result in
unauthorized actions in the web administration interface. A successful attack would require the
administrator to be logged in, and attacker knowledge of the internal FortiWeb administration
URL.

Affected Software/OS:
Fortinet FortiWeb prior to version 5.2.0.

Solution:
Update to version 5.2.0 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-3115
CERT/CC vulnerability note: VU#902790
http://www.kb.cert.org/vuls/id/902790
http://seclists.org/fulldisclosure/2014/May/30
http://www.securitytracker.com/id/1030200

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.105204
Category:	FortiOS Local Security Checks
Title:	Fortinet FortiWeb CSRF Vulnerability (FG-IR-14-013)
Summary:	Fortinet FortiWeb is prone to multiple cross-site request; forgery (CSRF) vulnerabilities.
Description:	Summary: Fortinet FortiWeb is prone to multiple cross-site request forgery (CSRF) vulnerabilities. Vulnerability Insight: Multiple CSRF vulnerabilities exist in the FortiWeb web administration console due to lack of CSRF token protection. This could allow remote attackers to perform administrative actions under specific conditions. Vulnerability Impact: A remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL. Affected Software/OS: Fortinet FortiWeb prior to version 5.2.0. Solution: Update to version 5.2.0 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3115 CERT/CC vulnerability note: VU#902790 http://www.kb.cert.org/vuls/id/902790 http://seclists.org/fulldisclosure/2014/May/30 http://www.securitytracker.com/id/1030200
Copyright	Copyright (C) 2015 Greenbone AG