CVE-2021-41015 — Cross-site Scripting in Fortinet Fortiweb

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.5%

top 32.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortiweb

Timeline

PublishedDec 8

Latest updateDec 9

Description

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDfortinet/fortiweb6.4.0, 6.4.1+1

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.4.1, 6.4.0

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-442w-3vhj-m8rc: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6↗2021-12-09

▶

CVEList

CVE-2021-41015: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6↗2021-12-08

▶

📋Vendor Advisories

Fortinet

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4...↗2021-12-08

▶