| IR Number | FG-IR-22-224 |
| Date | Feb 16, 2023 |
| Severity |
High |
| CVSSv3 Score | 8.6 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2022-41334 |
| Affected Products |
FortiOS
:
7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
|
| CVRF | Download |
| Language |
Refine Search
PSIRT Advisories
FortiOS -- XSS vulnerability in the Login page when FortiCloud Sign-in is used
Summary
An improper neutralization of input during web page generation [CWE-79] vulnerability in FortiOS may allow a remote, unauthenticated attacker to launch a cross site scripting (XSS) attack via the "redir" parameter of the URL seen when the "Sign in with FortiCloud" button is clicked.
Â
Affected Products
FortiOS version 7.2.0 through 7.2.3FortiOS version 7.0.0 through 7.0.7
Solutions
Please upgrade to FortiOS version 7.2.4 or abovePlease upgrade to FortiOS version 7.0.8 or above
Workaround:
Disable "Sign in with FortiCloud" feature using the below command
config system globalÂ
Disable "Sign in with FortiCloud" feature using the below command
config system globalÂ
set admin-forticloud-sso-login disable
 end
 and use other authentication methods to login to FortiGate.