CVE-2021-36191 — Open Redirect in Fortinet Fortiweb

CWE-601 — Open Redirect4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.1

EPSS

0.2%

top 55.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortiweb

Timeline

PublishedDec 8

Latest updateDec 9

Description

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDfortinet/fortiweb6.0.0 — 6.0.7+7

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.4.1, 6.4.0, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-fpgv-9v95-hrgv: A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6↗2021-12-09

▶

CVEList

CVE-2021-36191: A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6↗2021-12-08

▶

📋Vendor Advisories

Fortinet

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below all...↗2021-12-08

▶