CVE-2021-43081

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.9%

top 24.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy Fortinet Fortinet Fortiproxy

Timeline

PublishedMay 11

Latest updateMay 12

Description

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0. and in FortiProxy version 7.0.1 and below, 2.0.7 to 2.0.0 web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDfortinet/fortios6.4.0 — 6.4.9+3

▶NVDfortinet/fortiproxy2.0.0 — 2.0.8+1

▶CVEListV5fortinet/fortinet_fortiproxyFortiOS version 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0. FortiProxy version 7.0.1 and below, 2.0.7 to 2.0.0.

🔴Vulnerability Details

GHSA

GHSA-h9xj-785q-42jj: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7↗2022-05-12

▶

CVEList

CVE-2021-43081: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7↗2022-05-11

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.0.3 and below...↗2022-05-11

▶