Cross-Site Scripting Vulnerability in FortiPortal Management Interface
CVE-2022-41336

6.6MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortiportal
Vendor: CVE Published:; 3 January 2023

Summary

The vulnerability in FortiPortal versions 6.0.0 to 6.0.11 and all 5.x versions involves improper input validation during web page generation. This flaw allows remote authenticated attackers to exploit the system by sending specially crafted requests. The vulnerability specifically involves a crafted 'columnindex' parameter, which can lead to stored cross-site scripting attacks, enabling attackers to execute arbitrary scripts in the context of the user's session.

Affected Version(s)

FortiPortal 6.0.0 <= 6.0.11

FortiPortal 5.3.0 <= 5.3.8

FortiPortal 5.2.0 <= 5.2.6

References

https://fortiguard.com/psirt/FG-IR-22-313

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 3, 2023
Vulnerability Reserved
Sep 23, 2022