CVE-2019-5590

The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.

Published: Aug 28, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-5590
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
fortinet / fortiweb	-	6.0.2.x

http://www.securityfocus.com/bid/108786
https://fortiguard.com/advisory/FG-IR-19-070

Vulnerability Database

289,784

CVE-2019-5590