Summary
Multiple CSRF vulnerabilities exist in the FortiWeb web administration console due to lack of CSRF token protection. This could allow remote attackers to perform administrative actions under specific conditions.
Impact
A remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration
interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web
administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL.
Solution
Upgrade to FortiWeb 5.2.0 or higher.
Affected
FortiWeb 5.1.x and lower
Detection
Check the version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-3115 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities