FortiWeb - Reflected cross-site scripting in SAML login
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-139
Final
1
1
2021-12-07T00:00:00
Current version
2021-12-07T00:00:00
2021-12-07T00:00:00
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiWeb may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the SAML login webpage.
Execute unauthorized code or commands
FortiWeb version 6.4.1 and 6.4.0.
Upgrade to the upcoming FortiWeb version 7.0.0 or above. Upgrade to FortiWeb version 6.4.2 or above.
Internally discovered and reported by Mattia Fecit of the Fortinet PSIRT team.
FortiWeb 6.4.1
FortiWeb 6.4.0
FortiWeb - Reflected cross-site scripting in SAML login
CVE-2021-41015
FortiWeb-6.4.1
FortiWeb-6.4.0
5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-139
FortiWeb - Reflected cross-site scripting in SAML login
Reference>