CVE-2021-43063

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.8%

top 26.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortinet Fortiweb

Timeline

PublishedDec 8

Latest updateDec 9

Description

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDfortinet/fortiweb6.2.0 — 6.2.6+3

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.4.1, 6.4.0, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-8885-3g6h-5g9c: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6↗2021-12-09

▶

CVEList

CVE-2021-43063: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6↗2021-12-08

▶

📋Vendor Advisories

Fortinet

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4...↗2021-12-08

▶