====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN071
_____________________________________________________________________

DATE                : 04/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running FortiWeb versions prior to 6.3.8,
                                            6.2.4.

=====================================================================
https://www.fortiguard.com/psirt/FG-IR-20-122
_____________________________________________________________________

IR Number 	FG-IR-20-122
Date            Jan 29, 2021
Risk 	
CVSSv3 Score 	4.6
Impact 	        Execute unauthorized code or commands
CVE ID 	        CVE-2021-22122
CVRF 	        Download


XSS vulnerability in FortiWeb


Summary

An improper neutralization of input during web page generation in
FortiWeb GUI interface may allow an unauthenticated, remote attacker to
perform a reflected cross site scripting attack (XSS) by injecting
malicious payload in different vulnerable API end-points.


Impact

Execute unauthorized code or commands


Affected Products

FortiWeb versions 6.3.7 and below. FortiWeb versions 6.2.3 and below.


Solutions

Please upgrade to FortiWeb versions 6.3.8 or above. Please upgrade to
FortiWeb versions 6.2.4 or above.


Acknowledgement

Fortinet is pleased to thank Andrey Medov from ptsecurity for reporting
this vulnerability under responsible disclosure.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================