Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2021-43062
Severity
6.1MEDIUM
EPSS
57.1%
top 1.85%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedFeb 2
Latest updateFeb 18
Description
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages2 packages
▶CVEListV5fortinet/fortinet_fortimailFortiMail 7.0.1, 7.0.0, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
🔴Vulnerability Details
2GHSA▶
GHSA-6fhp-jhwr-cwgh: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7↗2022-02-08
CVEList▶
CVE-2021-43062: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7↗2022-02-02
💥Exploits & PoCs
2Nuclei▶
Fortinet FortiMail 7.0.1 - Cross-Site Scripting
📋Vendor Advisories
1Fortinet▶
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0...↗2022-02-02