Cross-Site Scripting Vulnerability in FortiManager and FortiAnalyzer
CVE-2022-39950

8HIGH

Key Information:

Vendor
Fortinet
Status
Fortinet Fortianalyzer, Fortimanager
Vendor
CVE Published:
2 November 2022

Summary

An input validation flaw exists in FortiManager and FortiAnalyzer products that permits low privilege attackers to exploit web page generation processes. This vulnerability arises when malformed comments are submitted via CKeditor's 'protected' comment feature, leading to potential Cross-Site Scripting (XSS) attacks. By leveraging this flaw, attackers can execute arbitrary scripts in the context of a victim's session, potentially compromising sensitive information and integrity of the affected applications.

Affected Version(s)

Fortinet FortiAnalyzer, FortiManager FortiAnalyzer 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0; FortiManager 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0

References

https://fortiguard.com/psirt/FG-IR-21-228

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.