CVE-2019-15706 — Cross-site Scripting in Fortinet Fortios

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.1

EPSS

0.1%

top 82.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedMar 17

Description

An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2.0.0, version 1.2.9 and below and FortiOS version 6.2.1 and below, version 6.0.8 and below, version 5.6.12 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDfortinet/fortios5.6.0 — 5.6.13+2

▶CVEListV5fortinet/fortios6.2.0 — 6.2.1+2

▶CVEListV5fortinet/fortiproxy1.2.0 — 1.2.9+1

▶NVDfortinet/fortiproxy1.2.0 — 1.2.9+1

🔴Vulnerability Details

CVEList

CVE-2019-15706: An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2↗2025-03-17

▶

GHSA

GHSA-c369-gmg5-w8pw: An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2↗2025-03-17

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2.0.0, versio...↗2025-03-17

▶