CVE-2016-3196: XSS
First published: Fri Aug 05 2016(Updated: )
Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiManager | =5.0.3 | |
| Fortinet FortiManager | =5.0.4 | |
| Fortinet FortiManager | =5.0.5 | |
| Fortinet FortiManager | =5.0.6 | |
| Fortinet FortiManager | =5.0.7 | |
| Fortinet FortiManager | =5.0.8 | |
| Fortinet FortiManager | =5.0.9 | |
| Fortinet FortiManager | =5.0.10 | |
| Fortinet FortiManager | =5.2.0 | |
| Fortinet FortiManager | =5.2.1 | |
| Fortinet FortiManager | =5.2.2 | |
| Fortinet FortiManager | =5.2.3 | |
| Fortinet FortiManager | =5.2.4 | |
| Fortinet FortiManager | =5.2.5 | |
| Fortinet FortiAnalyzer | =5.0.0 | |
| Fortinet FortiAnalyzer | =5.0.1 | |
| Fortinet FortiAnalyzer | =5.0.4 | |
| Fortinet FortiAnalyzer | =5.0.5 | |
| Fortinet FortiAnalyzer | =5.0.10 | |
| Fortinet FortiAnalyzer | =5.2.0 | |
| Fortinet FortiAnalyzer | =5.2.1 | |
| Fortinet FortiAnalyzer | =5.2.2 | |
| Fortinet FortiAnalyzer | =5.2.3 | |
| Fortinet FortiAnalyzer | =5.2.4 | |
| Fortinet FortiAnalyzer | =5.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://fortiguard.com/advisory/fortimanager-and-fortianalyzer-persistent-xss-vulnerability
- http://seclists.org/fulldisclosure/2016/Aug/4
- http://www.securityfocus.com/archive/1/539069/100/0/threaded
- http://www.securityfocus.com/bid/92203
- http://www.securitytracker.com/id/1036550
- http://www.securitytracker.com/id/1036551
- http://www.vulnerability-lab.com/get_content.php?id=1687
Frequently Asked Questions
What is the severity of CVE-2016-3196?
CVE-2016-3196 has a medium severity rating due to the potential for cross-site scripting attacks.
How do I fix CVE-2016-3196?
To fix CVE-2016-3196, upgrade Fortinet FortiAnalyzer to version 5.0.12 or later and FortiManager to version 5.0.12 or later.
What versions are affected by CVE-2016-3196?
Affected versions are Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6, as well as FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6.
Who can exploit CVE-2016-3196?
CVE-2016-3196 can be exploited by remote authenticated users who can upload images in the report section.
What type of vulnerability is CVE-2016-3196?
CVE-2016-3196 is a cross-site scripting (XSS) vulnerability that allows the injection of arbitrary web scripts or HTML.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fortinet
- canonical/fortinet fortimanager
- version/fortinet fortimanager/5.0.3
- version/fortinet fortimanager/5.0.4
- version/fortinet fortimanager/5.0.5
- version/fortinet fortimanager/5.0.6
- version/fortinet fortimanager/5.0.7
- version/fortinet fortimanager/5.0.8
- version/fortinet fortimanager/5.0.9
- version/fortinet fortimanager/5.0.10
- version/fortinet fortimanager/5.2.0
- version/fortinet fortimanager/5.2.1
- version/fortinet fortimanager/5.2.2
- version/fortinet fortimanager/5.2.3
- version/fortinet fortimanager/5.2.4
- version/fortinet fortimanager/5.2.5
- canonical/fortinet fortianalyzer
- version/fortinet fortianalyzer/5.0.0
- version/fortinet fortianalyzer/5.0.1
- version/fortinet fortianalyzer/5.0.4
- version/fortinet fortianalyzer/5.0.5
- version/fortinet fortianalyzer/5.0.10
- version/fortinet fortianalyzer/5.2.0
- version/fortinet fortianalyzer/5.2.1
- version/fortinet fortianalyzer/5.2.2
- version/fortinet fortianalyzer/5.2.3
- version/fortinet fortianalyzer/5.2.4
- version/fortinet fortianalyzer/5.2.5