cbcvebase.
CVE-2021-22122
published 2021-02-08

CVE-2021-22122: An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.52%
95.2th percentile
An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points.

Affected

4 ranges
VendorProductVersion rangeFixed in
fortinetfortinet_fortiweb
fortinetfortiweb<= 6.2.3
fortinetfortiweb
fortinetfortiweb6.3.0 – 6.3.7

Detection & IOCsextracted from sources · hover to see the quote

url/error3?msg=30&data=';alert('document.domain');//
  • Detect exploitation attempts against the /error3 endpoint by looking for XSS payload patterns in the 'data' query parameter (e.g., script injection with alert or document.domain).
  • Confirm exploitation by checking HTTP response body for both the injected payload string and the string 'No policy has been chosen.' simultaneously (AND condition).
  • Use Shodan, FOFA, or Google dorks to identify exposed FortiWeb instances as potential targets: shodan-query 'http.title:"fortiweb - "', fofa-query 'title="fortiweb - "', google-query 'intitle:"fortiweb - "'.
  • ·The vulnerability is unauthenticated and reflected XSS; no authentication is required to exploit the vulnerable API endpoints, meaning any unauthenticated remote attacker can trigger it.
  • ·Affected versions are FortiWeb 6.3.0 through 6.3.7 and all versions before 6.2.4; detections should be scoped to these version ranges.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.