{"containers": {"cna": {"affected": [{"product": "FortiWeb", "vendor": "Fortinet, Inc.", "versions": [{"status": "affected", "version": "5.6.0 and above"}]}], "datePublic": "2018-03-06T00:00:00", "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under \"Signed Security Mode\", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-09T15:21:25", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"name": "103430", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103430"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://fortiguard.com/advisory/FG-IR-17-279"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@fortinet.com", "DATE_PUBLIC": "2018-03-06T00:00:00", "ID": "CVE-2017-14191", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FortiWeb", "version": {"version_data": [{"version_value": "5.6.0 and above"}]}}]}, "vendor_name": "Fortinet, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under \"Signed Security Mode\", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "103430", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103430"}, {"name": "https://fortiguard.com/advisory/FG-IR-17-279", "refsource": "CONFIRM", "url": "https://fortiguard.com/advisory/FG-IR-17-279"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:20:40.946Z"}, "title": "CVE Program Container", "references": [{"name": "103430", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103430"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fortiguard.com/advisory/FG-IR-17-279"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T14:00:22.017935Z", "id": "CVE-2017-14191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-25T14:09:53.139Z"}}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2017-14191", "datePublished": "2018-03-20T13:00:00Z", "dateReserved": "2017-09-07T00:00:00", "dateUpdated": "2024-10-25T14:09:53.139Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.securityfocus.com/bid/103430", "name": "103430", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}, {"url": "https://fortiguard.com/advisory/FG-IR-17-279", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:20:40.946Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-14191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-23T14:00:22.017935Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:01:36.263Z"}}], "cna": {"affected": [{"vendor": "Fortinet, Inc.", "product": "FortiWeb", "versions": [{"status": "affected", "version": "5.6.0 and above"}]}], "datePublic": "2018-03-06T00:00:00", "references": [{"url": "http://www.securityfocus.com/bid/103430", "name": "103430", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "https://fortiguard.com/advisory/FG-IR-17-279", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under \"Signed Security Mode\", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2019-04-09T15:21:25"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "5.6.0 and above"}]}, "product_name": "FortiWeb"}]}, "vendor_name": "Fortinet, Inc."}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/103430", "name": "103430", "refsource": "BID"}, {"url": "https://fortiguard.com/advisory/FG-IR-17-279", "name": "https://fortiguard.com/advisory/FG-IR-17-279", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under \"Signed Security Mode\", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-14191", "STATE": "PUBLIC", "ASSIGNER": "psirt@fortinet.com", "DATE_PUBLIC": "2018-03-06T00:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2017-14191", "state": "PUBLISHED", "dateUpdated": "2024-10-25T14:09:53.139Z", "dateReserved": "2017-09-07T00:00:00", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2018-03-20T13:00:00Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8852A454-A129-447C-9B2E-6E16184EFA22", "versionEndExcluding": "6.1.0", "versionStartIncluding": "5.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under \"Signed Security Mode\", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado en Fortinet FortiWeb versi\u00f3n 5.6.0 hasta 6.1.0 en \"Signed Security Mode\", permite al atacante omitir la protecci\u00f3n de la cookie de usuario firmada eliminando la propia cookie de sesi\u00f3n de protecci\u00f3n de FortiWeb."}], "id": "CVE-2017-14191", "lastModified": "2024-11-21T03:12:19.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-20T13:29:00.247", "references": [{"source": "psirt@fortinet.com", "tags": ["Mitigation", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103430"}, {"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-17-279"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-17-279"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}