FKIE_CVE-2017-17541
Vulnerability from fkie_nvd - Published: 2018-07-16 20:29 - Updated: 2026-06-17 01:11
Severity
Summary
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@fortinet.com | http://www.securitytracker.com/id/1041246 | Third Party Advisory, VDB Entry | |
| psirt@fortinet.com | http://www.securitytracker.com/id/1041247 | Third Party Advisory, VDB Entry | |
| psirt@fortinet.com | https://fortiguard.com/advisory/FG-IR-17-305 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1041246 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1041247 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/advisory/FG-IR-17-305 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fortinet | fortianalyzer_firmware | * | |
| fortinet | fortianalyzer_firmware | 6.0.0 | |
| fortinet | fortimanager_firmware | * | |
| fortinet | fortimanager_firmware | 6.0.0 |
{
"affected": [
{
"affectedData": [
{
"product": "Fortinet FortiManager, FortiAnalyzer",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "FortiManager 6.0.0, 5.6.4 and below versions; FortiAnalyzer 6.0.0, 5.6.4 and below versions"
}
]
}
],
"source": "psirt@fortinet.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fortinet:fortianalyzer_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14395CC2-7264-4F1C-BB71-BA70BB97980F",
"versionEndIncluding": "5.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fortinet:fortianalyzer_firmware:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E13C1-4CEC-45FD-B7BE-207537565BBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fortinet:fortimanager_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEBC8DBF-8BC5-4DD8-A724-985DE305EA04",
"versionEndIncluding": "5.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fortinet:fortimanager_firmware:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E0D6CE-4731-4A1E-BFEE-E57EEF25F63B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en Fortinet FortiManager 6.0.0, 5.6.4 y anteriores y FortiAnalyzer 6.0.0, 5.6.4 y anteriores permite inyectar c\u00f3digo JavaScript y etiquetas HTML mediante el valor CN de los certificados CA y CRL mediante la caracter\u00edstica de importaci\u00f3n de certificados CA y CRL."
}
],
"id": "CVE-2017-17541",
"lastModified": "2026-06-17T01:11:14.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2017-17541",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:00:14.644167Z",
"version": "2.0.3"
}
}
]
},
"published": "2018-07-16T20:29:00.270",
"references": [
{
"source": "psirt@fortinet.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041246"
},
{
"source": "psirt@fortinet.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041247"
},
{
"source": "psirt@fortinet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.com/advisory/FG-IR-17-305"
}
],
"sourceIdentifier": "psirt@fortinet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…