Reflected Cross-Site Scripting Vulnerability in FortiWeb's Web Interface
CVE-2022-43955

8HIGH

Key Information:

Vendor: Fortinet
Status: Fortiweb
Vendor: CVE Published:; 11 April 2023

What is CVE-2022-43955?

An improper neutralization of input in the FortiWeb web interface versions ranging from 7.0.0 to 7.0.3, and in various 6.xx and 5.xx releases, can allow unauthenticated remote attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by injecting malicious payloads into log entries that the application uses to generate reports, which can be exploited during the web page generation process, posing significant risks to the security of users interacting with the affected system.

Affected Version(s)

FortiWeb 7.0.0 <= 7.0.3

FortiWeb 6.4.0 <= 6.4.2

FortiWeb 6.3.0 <= 6.3.21

References

https://fortiguard.com/psirt/FG-IR-22-428

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Oct 27, 2022

Fortinet

What is CVE-2022-43955?

Affected Version(s)

References

CVSS V3.1

Timeline