Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1471 — Cross-site Scripting in Fortinet Fortimail

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

4.9%

top 10.39%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Fortinet Fortimail

Timeline

PublishedFeb 4

Latest updateMay 17

Description

Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMail Identity-Based Encryption (IBE) appliances allow user-assisted remote attackers to inject arbitrary web script or HTML via (1) the Add field for the Black List under Antispam Management User Preferences or (2) the User name field for the Personal Black/White List in the AntiSpam section.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDfortinet/fortimail4.0+2

🔴Vulnerability Details

GHSA

GHSA-qfmw-5r6m-2483: Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin↗2022-05-17

▶

CVEList

CVE-2013-1471: Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin↗2013-02-04

▶

💥Exploits & PoCs

Exploit-DB

Fortinet FortiMail 400 IBE - Multiple Vulnerabilities↗2013-01-29

▶