PSIRTFortiMail - Cross-site scripting (XSS) in Webmail
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
| Version | Affected | Solution |
|---|---|---|
| FortiMail 7.2 | Not affected | Upgrade to 7.2.0 or above |
| FortiMail 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.4 or above |
| FortiMail 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiMail 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiMail 6.0 | 6.0 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered by Giuseppe Cocomazzi.| IR Number | FG-IR-21-045 |
| Date | Sep 6, 2022 |
| Component | GUI |
| Severity | 
Medium |
| CVSSv3 Score | 5.1 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2022-26114 |
| CVRF | Download |