CVE-2021-36188

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted GET parameters in requests to login and error handlers

Published: Dec 8, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-36188
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
fortinet / fortiweb	6.3.0	6.3.16
fortinet / fortiweb	6.4.0	6.4.2
fortinet / fortiweb	6.0.0	6.2.5.x

https://fortiguard.com/advisory/FG-IR-21-118

Vulnerability Database

289,784

CVE-2021-36188