CVE-2021-36172

EUVD-2021-22793
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
fortinetCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:W/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
fortinetfortiportal
4.0.0 ≤
𝑥
≤ 4.0.4
fortinetfortiportal
4.1.0 ≤
𝑥
≤ 4.1.2
fortinetfortiportal
4.2.0 ≤
𝑥
≤ 4.2.4
fortinetfortiportal
5.0.0 ≤
𝑥
≤ 5.0.3
fortinetfortiportal
5.1.0 ≤
𝑥
≤ 5.1.2
fortinetfortiportal
5.2.0 ≤
𝑥
≤ 5.2.6
fortinetfortiportal
5.3.0 ≤
𝑥
< 5.3.7
fortinetfortiportal
6.0.0 ≤
𝑥
< 6.0.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fortiguard.com/advisory/FG-IR-21-104
https://fortiguard.com/advisory/FG-IR-21-104