Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-3127

Summary
Assigner-fortinet
Assigner Org ID-6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At-01 Jun, 2017 | 14:00
Updated At-25 Oct, 2024 | 14:13
Rejected At-
Credits

A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 through 5.2.10 allows attacker to execute unauthorized code or commands via the srcintf parameter during Firewall Policy Creation.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:fortinet
Assigner Org ID:6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At:01 Jun, 2017 | 14:00
Updated At:25 Oct, 2024 | 14:13
Rejected At:
▼CVE Numbering Authority (CNA)

A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 through 5.2.10 allows attacker to execute unauthorized code or commands via the srcintf parameter during Firewall Policy Creation.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/AExecution of unauthorized code or commands
Type: text
CWE ID: N/A
Description: Execution of unauthorized code or commands
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/98048
vdb-entry
x_refsource_BID
https://fortiguard.com/psirt/FG-IR-17-017
x_refsource_CONFIRM
http://www.securitytracker.com/id/1038367
vdb-entry
x_refsource_SECTRACK
Hyperlink: http://www.securityfocus.com/bid/98048
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://fortiguard.com/psirt/FG-IR-17-017
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securitytracker.com/id/1038367
Resource:
vdb-entry
x_refsource_SECTRACK
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/98048
vdb-entry
x_refsource_BID
x_transferred
https://fortiguard.com/psirt/FG-IR-17-017
x_refsource_CONFIRM
x_transferred
http://www.securitytracker.com/id/1038367
vdb-entry
x_refsource_SECTRACK
x_transferred
Hyperlink: http://www.securityfocus.com/bid/98048
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://fortiguard.com/psirt/FG-IR-17-017
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securitytracker.com/id/1038367
Resource:
vdb-entry
x_refsource_SECTRACK
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@fortinet.com
Published At:01 Jun, 2017 | 14:29
Updated At:20 Apr, 2025 | 01:37

A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 through 5.2.10 allows attacker to execute unauthorized code or commands via the srcintf parameter during Firewall Policy Creation.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.06.1MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Fortinet, Inc.
fortinet
>>fortios>>5.2.0
cpe:2.3:o:fortinet:fortios:5.2.0:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.1
cpe:2.3:o:fortinet:fortios:5.2.1:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.2
cpe:2.3:o:fortinet:fortios:5.2.2:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.3
cpe:2.3:o:fortinet:fortios:5.2.3:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.4
cpe:2.3:o:fortinet:fortios:5.2.4:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.5
cpe:2.3:o:fortinet:fortios:5.2.5:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.6
cpe:2.3:o:fortinet:fortios:5.2.6:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.7
cpe:2.3:o:fortinet:fortios:5.2.7:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.8
cpe:2.3:o:fortinet:fortios:5.2.8:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.9
cpe:2.3:o:fortinet:fortios:5.2.9:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortios>>5.2.10
cpe:2.3:o:fortinet:fortios:5.2.10:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/98048psirt@fortinet.com
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038367psirt@fortinet.com
N/A
https://fortiguard.com/psirt/FG-IR-17-017psirt@fortinet.com
Vendor Advisory
http://www.securityfocus.com/bid/98048af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038367af854a3a-2127-422b-91ae-364da2661108
N/A
https://fortiguard.com/psirt/FG-IR-17-017af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/98048
Source: psirt@fortinet.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://www.securitytracker.com/id/1038367
Source: psirt@fortinet.com
Resource: N/A
Hyperlink: https://fortiguard.com/psirt/FG-IR-17-017
Source: psirt@fortinet.com
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/98048
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://www.securitytracker.com/id/1038367
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://fortiguard.com/psirt/FG-IR-17-017
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12394Records found
CVE-2024-27781
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 34.61%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 16:09
Updated-22 Jul, 2025 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox at least versions 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43952
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.3||LOW
EPSS-0.25% / 48.03%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:06
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC version 7.1.1 and below, version 7.0.3 and below, version 6.2.5 and below may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41336
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.10% / 28.95%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 16:58
Updated-07 Nov, 2023 | 03:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortiPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41330
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.3||HIGH
EPSS-1.02% / 76.35%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:05
Updated-23 Oct, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortiOSFortiProxy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40676
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.1||HIGH
EPSS-0.99% / 75.91%
||
7 Day CHG~0.00%
Published-07 Mar, 2023 | 16:04
Updated-23 Oct, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted http requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacFortiNAC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41334
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.6||HIGH
EPSS-0.30% / 52.92%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 18:06
Updated-23 Oct, 2024 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation [CWE-79] vulnerability in FortiOS versions 7.0.0 to 7.0.7 and 7.2.0 to 7.2.3 may allow a remote, unauthenticated attacker to launch a cross site scripting (XSS) attack via the "redir" parameter of the URL seen when the "Sign in with FortiCloud" button is clicked.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-39950
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.61% / 68.75%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortinet FortiAnalyzer, FortiManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38376
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.57% / 67.52%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 18:06
Updated-22 Oct, 2024 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerabilities [CWE-79] in Fortinet FortiNAC portal UI before 9.4.1 allows an attacker to perform an XSS attack via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacFortiNAC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38373
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.91% / 74.88%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortideceptorFortinet FortiDeceptor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38374
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-15.01% / 94.29%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-23111
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.14% / 34.29%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:32
Updated-27 Aug, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions reboot page may allow a remote privileged attacker with super-admin access to execute JavaScript code via crafted HTTP GET requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortiOSFortiProxyfortiosfortiproxy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35850
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.17% / 38.73%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:07
Updated-22 Oct, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiauthenticatorFortiAuthenticator
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35851
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.70% / 71.02%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-3196
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.47% / 63.52%
||
7 Day CHG~0.00%
Published-05 Aug, 2016 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortianalyzer_firmwarefortimanager_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-3193
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.74%
||
7 Day CHG~0.00%
Published-19 Aug, 2016 | 21:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the appliance web-application in Fortinet FortiManager 5.x before 5.0.12, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 and FortiAnalyzer 5.x before 5.0.13, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortianalyzer_firmwarefortimanager_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41029
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.55% / 66.99%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 11:29
Updated-25 Oct, 2024 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to store malicious javascript code in the device and trigger it via crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-7363
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 54.98%
||
7 Day CHG~0.00%
Published-07 Oct, 2016 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the advanced settings page in Fortinet FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.3, in hardware models with a hard disk, and FortiAnalyzer 5.x before 5.0.13 and 5.2.x before 5.2.3 allows remote administrators to inject arbitrary web script or HTML via vectors related to report filters.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortianalyzer_firmwarefortimanagerfortimanager_firmwarefortianalyzern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-30304
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.22% / 44.37%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 18:06
Updated-22 Oct, 2024 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerFortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-3612
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.30%
||
7 Day CHG~0.00%
Published-04 Feb, 2020 | 19:21
Updated-06 Aug, 2024 | 05:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortimanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-3615
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.78%
||
7 Day CHG~0.00%
Published-11 Aug, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving unspecified parameters and a privilege escalation attack.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortimanager_2000efortimanager_300efortimanager_200dfortimanager_firmwarefortimanager_400efortimanager_3000ffortimanager_3900en/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-36175
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.19% / 41.34%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 09:36
Updated-25 Oct, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortinet FortiWebManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-32597
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.17% / 38.65%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 10:48
Updated-25 Oct, 2024 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortinet FortiAnalyzer, FortiManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-1451
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.24% / 46.91%
||
7 Day CHG~0.00%
Published-02 Feb, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.0 Patch 7 build 4457 allow remote authenticated users to inject arbitrary web script or HTML via the (1) WTP Name or (2) WTP Active Software Version field in a CAPWAP Join request.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12815
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 40.38%
||
7 Day CHG~0.00%
Published-24 Sep, 2020 | 13:33
Updated-25 Oct, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortitesterFortinet FortiTester
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12817
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.25% / 48.05%
||
7 Day CHG~0.00%
Published-24 Sep, 2020 | 13:31
Updated-25 Oct, 2024 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortitesterFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12814
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.50% / 65.04%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 17:56
Updated-25 Oct, 2024 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29057
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.25%
||
7 Day CHG~0.00%
Published-18 Jul, 2022 | 16:41
Updated-22 Oct, 2024 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiedrFortinet FortiEDR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1458
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.18% / 40.44%
||
7 Day CHG~0.00%
Published-04 Feb, 2014 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the web administration interface in FortiGuard FortiWeb 5.0.3 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiwebn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45587
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.44% / 62.20%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 06:40
Updated-28 Aug, 2024 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 allows attacker to execute unauthorized code or commands via crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9288
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 15:14
Updated-25 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiWLC 8.5.1 allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the ESS profile or the Radius Profile.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlcFortinet FortiWLC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-14186
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-4.05% / 88.06%
||
7 Day CHG~0.00%
Published-29 Nov, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6640
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 12:47
Updated-25 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortianalyzerFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41843
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.3||HIGH
EPSS-0.18% / 40.20%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 14:51
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41836
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.09% / 27.17%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 14:51
Updated-16 Sep, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41680
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.3||HIGH
EPSS-0.26% / 48.76%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 14:51
Updated-22 Oct, 2024 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41844
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.44% / 62.20%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 06:42
Updated-08 Oct, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43955
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.15% / 36.05%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:06
Updated-23 Oct, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation [CWE-79] in the FortiWeb web interface 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortiWeb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6643
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 21:20
Updated-25 Oct, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS).

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiisolatorFortinet FortiIsolator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6647
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.36% / 57.06%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 18:41
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiadc_firmwareFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41681
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.3||HIGH
EPSS-0.14% / 35.26%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 14:51
Updated-16 Sep, 2024 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32932
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 19:00
Updated-15 Aug, 2025 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR version 7.6.1 and below, version 7.5.1 and below, 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisoarFortiSOAR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6699
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.20%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 15:06
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37933
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.6||HIGH
EPSS-0.04% / 10.15%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 14:54
Updated-22 Jul, 2025 | 21:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36637
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.27% / 50.17%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 16:50
Updated-18 Sep, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortiMail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36555
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.9||LOW
EPSS-0.12% / 32.34%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 16:48
Updated-18 Sep, 2024 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiOS 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via the SAML and Security Fabric components.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOS
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-17651
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 00:44
Updated-25 Oct, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisiemFortinet FortiSIEM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22855
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.05% / 16.59%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 14:02
Updated-23 Jul, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientemsFortiClientEMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16149
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 5.78%
||
7 Day CHG-0.04%
Published-28 Mar, 2025 | 09:07
Updated-15 Jul, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Input During Web Page Generation in FortiClientEMS version 6.2.0 may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by the vulnerable system.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientemsFortiClientEMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16151
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.03% / 7.11%
||
7 Day CHG~0.00%
Published-21 Mar, 2025 | 16:02
Updated-23 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context. This happens when the FortiGate has web filtering and category override enabled/configured.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26114
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.83% / 73.58%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 15:15
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortinet FortiMail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 247
  • 248
  • Next
Details not found