CVE-2022-40680 — Cross-site Scripting in Fortinet Fortios

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.0

EPSS

0.6%

top 30.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedDec 6

Description

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5fortinet/fortios7.0.0 — 7.0.3+3

▶NVDfortinet/fortios6.0.7 — 6.0.15+3

▶CVEListV5fortinet/fortiproxy7.0.0 — 7.0.1+3

🔴Vulnerability Details

CVEList

CVE-2022-40680: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6↗2022-12-06

▶

GHSA

GHSA-4gwx-h6rx-fcw3: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6↗2022-12-06

▶

📋Vendor Advisories

Fortinet

Stored cross-site scripting in replacement messages visualization↗2022-12-06

▶