Stored Cross-Site Scripting Vulnerability in FortiAnalyzer by Fortinet
CVE-2021-24021

4.3MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet Fortianalyzer
Vendor: CVE Published:; 6 October 2021

Summary

FortiAnalyzer contains an improper neutralization of input vulnerability that can allow a remote authenticated attacker to execute a stored cross-site scripting attack. This issue arises in the column settings of the Logview feature, whereby an attacker could potentially manipulate a POST request to inject malicious scripts, leading to unauthorized actions or data exposure upon the execution of the compromised code in a victim's browser.

Affected Version(s)

Fortinet FortiAnalyzer FortiAnalyzer 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0

References

https://fortiguard.com/advisory/FG-IR-20-098

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 6, 2021
Vulnerability Reserved
Jan 13, 2021