Description
An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
E
Physical
RL
Unchanged
RC
Changed
Affected products
- fortinet / Fortinet FortiMailFortiMail before 7.2.0 – FortiMail before 7.2.0
References
- VENDOR_ADVISORYhttps://fortiguard.com/psirt/FG-IR-21-045