CVE-2020-12814 — Cross-site Scripting in Fortinet Fortianalyzer

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

CNA4.1

EPSS

0.3%

top 46.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortianalyzer

Timeline

PublishedNov 2

Latest updateMay 24

Description

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDfortinet/fortianalyzer6.0.0 — 6.0.6+1

▶CVEListV5fortinet/fortinet_fortianalyzerFortiAnalyzer 6.4.4, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0

🔴Vulnerability Details

GHSA

GHSA-x958-96gq-xmx6: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6↗2022-05-24

▶

CVEList

CVE-2020-12814: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6↗2021-11-02

▶

OSV

jackson-databind vulnerabilities↗2021-03-15

▶

📋Vendor Advisories

Fortinet

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version...↗2021-11-02

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Segment (jackson-databind) — CVE-2019-12814↗2020-01-15

▶