Cross-Site Scripting Vulnerability in Fortinet FortiADC
CVE-2022-38374

8.8HIGH

Key Information:

Vendor: Fortinet
Status: Fortinet Fortiadc
Vendor: CVE Published:; 2 November 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Fortinet FortiADC experiences a cross-site scripting vulnerability due to improper input handling during web page generation. This flaw affects versions 7.0.0 through 7.0.2 and 6.2.0 through 6.2.4, allowing attackers to manipulate URL and User fields observed in traffic logs. As a result, unauthorized code or commands may be executed, posing significant risks to web security and data integrity. Organizations utilizing FortiADC should assess their systems and apply necessary patches to mitigate this vulnerability.

Affected Version(s)

Fortinet FortiADC FortiADC 7.0.2, 7.0.1, 7.0.0, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-38374
Created by azhurtanov

CVE-2022-38374
Created by M4fiaB0y

References

https://fortiguard.com/psirt/FG-IR-22-232

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 3, 2023
👾
Exploit known to exist
Mar 3, 2023
Vulnerability published
Nov 2, 2022
Vulnerability Reserved
Aug 16, 2022