CVE-2023-36637

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 49.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail

Timeline

PublishedOct 10

Description

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5fortinet/fortimail7.2.0 — 7.2.2+1

▶NVDfortinet/fortimail7.0.1 — 7.0.5+3

🔴Vulnerability Details

GHSA

GHSA-mmm9-8xmv-42v6: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7↗2023-10-10

▶

CVEList

CVE-2023-36637: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7↗2023-10-10

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through...↗2023-10-10

▶