Description
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
E
F
RL
X
RC
Changed
Affected products
- fortinet / fortiportal6.0.0 – 6.0.11
- fortinet / fortiportal5.3.0 – 5.3.8
- fortinet / fortiportal5.2.0 – 5.2.6
- fortinet / fortiportal5.1.0 – 5.1.2
- fortinet / fortiportal5.0.0 – 5.0.3
References
- VENDOR_ADVISORYhttps://fortiguard.com/psirt/FG-IR-22-313