Reflected Cross-Site Scripting Vulnerability in FortiWeb's Web Interface
CVE-2022-43955

8HIGH

Key Information:

Vendor: Fortinet
Status: Fortiweb
Vendor: CVE Published:; 11 April 2023

Summary

An improper neutralization of input in the FortiWeb web interface versions ranging from 7.0.0 to 7.0.3, and in various 6.xx and 5.xx releases, can allow unauthenticated remote attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by injecting malicious payloads into log entries that the application uses to generate reports, which can be exploited during the web page generation process, posing significant risks to the security of users interacting with the affected system.

Affected Version(s)

FortiWeb 7.0.0 <= 7.0.3

FortiWeb 6.4.0 <= 6.4.2

FortiWeb 6.3.0 <= 6.3.21

References

https://fortiguard.com/psirt/FG-IR-22-428

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Oct 27, 2022

Collectors

NVD DatabaseMitre Database