A vulnerability has been found in Fortinet FortiPortal up to 5.0/5.1/5.2/5.3/6.0.11 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument columnindex with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. The summary by CVE is:

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter.

The weakness was shared 01/03/2023 as FG-IR-22-313. The advisory is shared at fortiguard.com. This vulnerability is known as CVE-2022-41336 since 09/23/2022. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading eliminates this vulnerability.

The entries VDB-185943, VDB-185944, VDB-185965 and VDB-185966 are related to this item.

Productinfo

Vendor

• Fortinet

Name

• FortiPortal

Version

• 5.0
• 5.1
• 5.2
• 5.3
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion