=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN519
_____________________________________________________________________

DATE                : 06/10/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiWebManager versions prior to
                                      6.2.4.

=====================================================================
https://www.fortiguard.com/psirt/FG-IR-20-027
_____________________________________________________________________

FortiWebManager - Injection vulnerabilities

IR Number    : FG-IR-20-027
Date         : Oct 5, 2021
Risk         : 3/5
CVSSv3 Score : 4
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2021-36175
Affected Products: FortiWebManager: 6.0.2


Summary

An improper neutralization of input vulnerability [CWE-79] in
FortiWebManager may allow a remote authenticated attacker to inject
malicious script/tags via the name/description/comments parameter of
various sections of the device.


Affected Products

FortiWebManager version 6.2.3 and below.
FortiWebManager version 6.0.x.


Solutions

Please upgrade to FortiWebManager version 6.2.4 or above.


Acknowledgement

Fortinet is pleased to thank Danilo Costa from Sigma Telecom for
reporting this issue under responsible disclosure.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================