Vulnerability Note VU#902790
Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability
Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery (CSRF) vulnerability. (CWE-352)
CWE-352: Cross-Site Request Forgery (CSRF)
Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user. The cross-site request forgery (CSRF) vulnerability lies in /system/config/adminadd.
A remote unauthenticated attacker may be able to trick an authenticated user into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc, which will be treated as an authentic request and may result in information leakage or code execution.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Fortinet, Inc.||Affected||20 Nov 2013||06 Dec 2013|
CVSS Metrics (Learn More)
Thanks to William Costa for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2014-3115
- Date Public: 02 May 2014
- Date First Published: 07 May 2014
- Date Last Updated: 07 May 2014
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.