CVE-2019-6696 - OpenCVE

An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortios

Configuration 1 [-]

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios:6.2.0:::::::*
	cpe:2.3:o:fortinet:fortios:6.2.1:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-19-179

History

No history.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2020-03-15T22:03:22

Updated: 2024-08-04T20:31:04.188Z

Reserved: 2019-01-23T00:00:00

Link: CVE-2019-6696

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-03-15T23:15:11.470

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-6696

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fortinet FortiOS", "vendor": "Fortinet", "versions": [{"status": "affected", "version": "6.2.1"}, {"status": "affected", "version": "6.2.0"}, {"status": "affected", "version": "6.0.8 and below until 5.4.0"}]}], "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage."}], "problemTypes": [{"descriptions": [{"description": "Execute unauthorized code or commands", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-15T22:03:22", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://fortiguard.com/psirt/FG-IR-19-179"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@fortinet.com", "ID": "CVE-2019-6696", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fortinet FortiOS", "version": {"version_data": [{"version_value": "6.2.1"}, {"version_value": "6.2.0"}, {"version_value": "6.0.8 and below until 5.4.0"}]}}]}, "vendor_name": "Fortinet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Execute unauthorized code or commands"}]}]}, "references": {"reference_data": [{"name": "https://fortiguard.com/psirt/FG-IR-19-179", "refsource": "CONFIRM", "url": "https://fortiguard.com/psirt/FG-IR-19-179"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:31:04.188Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fortiguard.com/psirt/FG-IR-19-179"}]}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2019-6696", "datePublished": "2020-03-15T22:03:22", "dateReserved": "2019-01-23T00:00:00", "dateUpdated": "2024-08-04T20:31:04.188Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "21713C4E-4504-4901-BCB0-389FA7561B60", "versionEndIncluding": "6.0.8", "versionStartIncluding": "5.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "72C437B7-75F8-4DDC-9670-19E2C21ACB27", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:6.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B468AF9F-1619-4399-A1A5-115C26FB01DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en FortiOS versiones 6.2.1, 6.2.0, 6.0.8 y por debajo hasta 5.4.0, bajo la Interfaz de Usuario Web de administraci\u00f3n puede permitir a un atacante llevar a cabo un ataque de redireccionamiento de URL por medio de una petici\u00f3n espec\u00edficamente dise\u00f1ada para la p\u00e1gina web de cambio de contrase\u00f1a inicial del administrador."}], "id": "CVE-2019-6696", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-15T23:15:11.470", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-19-179"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}