CVE-2021-26092

Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
fortinetCNA
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:F/RL:X/RC:X
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
fortinetfortiproxy
1.2.0 ≤
𝑥
≤ 1.2.9
fortinetfortiproxy
2.0.0
fortinetfortiproxy
2.0.1
fortinetfortios
5.2.10 ≤
𝑥
≤ 5.2.15
fortinetfortios
5.4.0 ≤
𝑥
≤ 5.4.13
fortinetfortios
5.6.0 ≤
𝑥
≤ 5.6.14
fortinetfortios
6.0.0 ≤
𝑥
≤ 6.0.12
fortinetfortios
6.2.0 ≤
𝑥
≤ 6.2.7
fortinetfortios
6.4.0 ≤
𝑥
≤ 6.4.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fortiguard.com/psirt/FG-IR-20-199
https://fortiguard.com/psirt/FG-IR-20-199