Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-22122 — Cross-site Scripting in Fortinet Fortiweb

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

55.6%

top 1.91%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Fortinet Fortiweb Fortinet Fortiweb

Timeline

PublishedFeb 8

Latest updateMay 24

Description

An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDfortinet/fortiweb6.3.0 — 6.3.7+1

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.3.0 through 6.3.7 and version before 6.2.4

🔴Vulnerability Details

GHSA

GHSA-6xx4-8wj3-477v: An improper neutralization of input during web page generation in FortiWeb GUI interface 6↗2022-05-24

▶

CVEList

CVE-2021-22122: An improper neutralization of input during web page generation in FortiWeb GUI interface 6↗2021-02-08

▶

VulnCheck

Fortinet FortiWeb Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2021

▶

💥Exploits & PoCs

Nuclei

FortiWeb - Cross Site Scripting

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version...↗2021-02-08

▶