CVE-2021-36190

A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
fortinetCNA
5.5 MEDIUM
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
fortinetfortiweb
6.0.0 ≤
𝑥
≤ 6.0.7
fortinetfortiweb
6.2.0 ≤
𝑥
≤ 6.2.6
fortinetfortiweb
6.3.0 ≤
𝑥
≤ 6.3.15
fortinetfortiweb
6.1.0
fortinetfortiweb
6.1.1
fortinetfortiweb
6.1.2
fortinetfortiweb
6.4.0
fortinetfortiweb
6.4.1
𝑥
= Vulnerable software versions
References
https://fortiguard.com/advisory/FG-IR-21-123
https://fortiguard.com/advisory/FG-IR-21-123