CVE-2021-26092

EPSS 0.53%
Published 24.02.2022 03:15:43
Last modified 21.11.2024 05:55:51
Source psirt@fortinet.com
Teams watchlist Login
Open Login

Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Fortinet ≫ Fortiproxy Version >= 1.2.0 <= 1.2.9

Fortinet ≫ Fortiproxy Version2.0.0

Fortinet ≫ Fortiproxy Version2.0.1

Fortinet ≫ Fortios Version >= 5.2.10 <= 5.2.15

Fortinet ≫ Fortios Version >= 5.4.0 <= 5.4.13

Fortinet ≫ Fortios Version >= 5.6.0 <= 5.6.14

Fortinet ≫ Fortios Version >= 6.0.0 <= 6.0.12

Fortinet ≫ Fortios Version >= 6.2.0 <= 6.2.7

Fortinet ≫ Fortios Version >= 6.4.0 <= 6.4.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.53%	0.647

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
psirt@fortinet.com	4.7	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://fortiguard.com/psirt/FG-IR-20-199

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-26092

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-26092

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-26092

EUVD