FortiWeb - Reflected cross-site scripting in error controllers
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-118
Final
1
1
2021-12-07T00:00:00
Current version
2021-12-07T00:00:00
2021-12-07T00:00:00
Multiple improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] in FortiWeb may allow an unauthenticated user to inject malicious javascript code into the response webpage via crafted requests to device's error handlers.
None
Execute unauthorized code or commands
FortiWeb version 6.0.0 through 6.0.7 FortiWeb version 6.1.0 through 6.1.2 FortiWeb version 6.2.0 through 6.2.7 FortiWeb version 6.3.0 through 6.3.15 FortiWeb version 6.4.0 through 6.4.1
Upgrade to FortiWeb version 7.0.0 or above. Upgrade to FortiWeb version 6.4.2 or above. Upgrade to FortiWeb version 6.3.16 or above.
Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.
FortiWeb 6.4.1
FortiWeb 6.4.0
FortiWeb 6.3.15
FortiWeb 6.3.14
FortiWeb 6.3.13
FortiWeb 6.3.12
FortiWeb 6.3.11
FortiWeb 6.3.10
FortiWeb 6.3.9
FortiWeb 6.3.8
FortiWeb 6.3.7
FortiWeb 6.3.6
FortiWeb 6.3.5
FortiWeb 6.3.4
FortiWeb 6.3.3
FortiWeb 6.3.2
FortiWeb 6.3.1
FortiWeb 6.3.0
FortiWeb 6.2.8
FortiWeb 6.2.7
FortiWeb 6.2.6
FortiWeb 6.2.5
FortiWeb 6.2.4
FortiWeb 6.2.3
FortiWeb 6.2.2
FortiWeb 6.2.1
FortiWeb 6.2.0
FortiWeb 6.1.4
FortiWeb 6.1.3
FortiWeb 6.1.2
FortiWeb 6.1.1
FortiWeb 6.1.0
FortiWeb 6.0.8
FortiWeb 6.0.7
FortiWeb 6.0.6
FortiWeb 6.0.5
FortiWeb 6.0.4
FortiWeb 6.0.3
FortiWeb 6.0.2
FortiWeb 6.0.1
FortiWeb 6.0.0
FortiWeb - Reflected cross-site scripting in error controllers
CVE-2021-36188
FortiWeb-6.4.1
FortiWeb-6.4.0
FortiWeb-6.3.15
FortiWeb-6.3.14
FortiWeb-6.3.13
FortiWeb-6.3.12
FortiWeb-6.3.11
FortiWeb-6.3.10
FortiWeb-6.3.9
FortiWeb-6.3.8
FortiWeb-6.3.7
FortiWeb-6.3.6
FortiWeb-6.3.5
FortiWeb-6.3.4
FortiWeb-6.3.3
FortiWeb-6.3.2
FortiWeb-6.3.1
FortiWeb-6.3.0
FortiWeb-6.2.8
FortiWeb-6.2.7
FortiWeb-6.2.6
FortiWeb-6.2.5
FortiWeb-6.2.4
FortiWeb-6.2.3
FortiWeb-6.2.2
FortiWeb-6.2.1
FortiWeb-6.2.0
FortiWeb-6.1.4
FortiWeb-6.1.3
FortiWeb-6.1.2
FortiWeb-6.1.1
FortiWeb-6.1.0
FortiWeb-6.0.8
FortiWeb-6.0.7
FortiWeb-6.0.6
FortiWeb-6.0.5
FortiWeb-6.0.4
FortiWeb-6.0.3
FortiWeb-6.0.2
FortiWeb-6.0.1
FortiWeb-6.0.0
5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-118
FortiWeb - Reflected cross-site scripting in error controllers
Reference>