CVE-2017-14191 : An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but no

An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under "Signed Security Mode", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie.

Published 2018-03-20 13:29:00

Updated 2019-10-03 00:03:26

Source Fortinet, Inc.

View at NVD, CVE.org

Products affected by CVE-2017-14191

Fortinet » Fortiweb
Versions from including (>=) 5.6.0 and before (<) 6.1.0
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-14191

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 42 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-14191

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

References for CVE-2017-14191

https://fortiguard.com/advisory/FG-IR-17-279

FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie | FortiGuard
Vendor Advisory
http://www.securityfocus.com/bid/103430

Fortinet Fortiweb CVE-2017-14191 Access Bypass Vulnerability
Mitigation;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2017-14191

Products affected by CVE-2017-14191

Exploit prediction scoring system (EPSS) score for CVE-2017-14191

CVSS scores for CVE-2017-14191

References for CVE-2017-14191