CVE-2022-40680

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
fortinetCNA
4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
fortinetfortios
6.0.7 ≤
𝑥
≤ 6.0.15
fortinetfortios
6.2.2 ≤
𝑥
≤ 6.2.12
fortinetfortios
6.4.0 ≤
𝑥
≤ 6.4.9
fortinetfortios
7.0.0 ≤
𝑥
≤ 7.0.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
fortinetfortiproxy
7.0.0 ≤
𝑥
≤ 7.0.1
CNA
fortinetfortiproxy
2.0.0 ≤
𝑥
≤ 2.0.11
CNA
fortinetfortiproxy
1.2.0 ≤
𝑥
≤ 1.2.13
CNA
fortinetfortiproxy
1.1.0 ≤
𝑥
≤ 1.1.6
CNA
fortinetfortiproxy
7.0.0 ≤
𝑥
≤ 7.0.3
CNA
fortinetfortiproxy
6.4.0 ≤
𝑥
≤ 6.4.9
CNA
fortinetfortiproxy
6.2.2 ≤
𝑥
≤ 6.2.12
CNA
fortinetfortiproxy
6.0.7 ≤
𝑥
≤ 6.0.15
CNA
Common Weakness Enumeration
References
https://fortiguard.com/psirt/FG-IR-21-248
https://fortiguard.com/psirt/FG-IR-21-248