CVE-2021-26092Cross-site Scripting in Fortinet Fortios

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
CNA4.7
EPSS
0.5%
top 32.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortiosFortinet Fortiproxy
Timeline
PublishedFeb 24
Latest updateFeb 25

Description

Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDfortinet/fortios5.2.105.2.15+5
NVDfortinet/fortiproxy1.2.01.2.9+2

🔴Vulnerability Details

2
GHSA
GHSA-mpgj-7qvh-h4r8: Failure to sanitize input in the SSL VPN web portal of FortiOS 52022-02-25
CVEList
CVE-2021-26092: Failure to sanitize input in the SSL VPN web portal of FortiOS 52022-02-24

📋Vendor Advisories

1
Fortinet
Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 throug...2022-02-24
CVE-2021-26092 — Cross-site Scripting in Fortinet | cvebase