Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-36191

Summary
Assigner-fortinet
Assigner Org ID-6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At-08 Dec, 2021 | 13:03
Updated At-25 Oct, 2024 | 13:40
Rejected At-
Credits

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:fortinet
Assigner Org ID:6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At:08 Dec, 2021 | 13:03
Updated At:25 Oct, 2024 | 13:40
Rejected At:
▼CVE Numbering Authority (CNA)

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

Affected Products
Vendor
Fortinet, Inc.Fortinet
Product
Fortinet FortiWeb
Versions
Affected
  • FortiWeb 6.4.1, 6.4.0, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Problem Types
TypeCWE IDDescription
textN/AImproper access control
Type: text
CWE ID: N/A
Description: Improper access control
Metrics
VersionBase scoreBase severityVector
3.14.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:X/RC:C
Version: 3.1
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:X/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://fortiguard.com/advisory/FG-IR-21-133
x_refsource_CONFIRM
Hyperlink: https://fortiguard.com/advisory/FG-IR-21-133
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://fortiguard.com/advisory/FG-IR-21-133
x_refsource_CONFIRM
x_transferred
Hyperlink: https://fortiguard.com/advisory/FG-IR-21-133
Resource:
x_refsource_CONFIRM
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@fortinet.com
Published At:08 Dec, 2021 | 13:15
Updated At:15 Dec, 2021 | 13:45

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary3.14.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Primary2.04.9MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.9
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:N
CPE Matches
Fortinet, Inc.
fortinet
>>fortiweb>>Versions from 6.0.0(inclusive) to 6.0.7(inclusive)
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>Versions from 6.2.0(inclusive) to 6.2.6(inclusive)
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>Versions from 6.3.0(inclusive) to 6.3.15(inclusive)
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>6.1.0
cpe:2.3:a:fortinet:fortiweb:6.1.0:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>6.1.1
cpe:2.3:a:fortinet:fortiweb:6.1.1:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>6.1.2
cpe:2.3:a:fortinet:fortiweb:6.1.2:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>6.4.0
cpe:2.3:a:fortinet:fortiweb:6.4.0:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortiweb>>6.4.1
cpe:2.3:a:fortinet:fortiweb:6.4.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-601Primarynvd@nist.gov
CWE ID: CWE-601
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://fortiguard.com/advisory/FG-IR-21-133psirt@fortinet.com
Patch
Vendor Advisory
Hyperlink: https://fortiguard.com/advisory/FG-IR-21-133
Source: psirt@fortinet.com
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

131Records found
CVE-2023-22641
Matching Score-10
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-10
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.11% / 30.62%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:06
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A url redirection to untrusted site ('open redirect') in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specially crafted requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortiOSFortiProxy
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2021-36175
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.19% / 41.35%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 09:36
Updated-25 Oct, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortinet FortiWebManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-3612
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.30%
||
7 Day CHG~0.00%
Published-04 Feb, 2020 | 19:21
Updated-06 Aug, 2024 | 05:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortimanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-32597
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.17% / 38.67%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 10:48
Updated-25 Oct, 2024 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortinet FortiAnalyzer, FortiManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-32932
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 19:00
Updated-15 Aug, 2025 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR version 7.6.1 and below, version 7.5.1 and below, 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisoarFortiSOAR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45587
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.44% / 62.18%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 06:40
Updated-28 Aug, 2024 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 allows attacker to execute unauthorized code or commands via crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41844
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.44% / 62.18%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 06:42
Updated-08 Oct, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41843
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-7.3||HIGH
EPSS-0.18% / 40.21%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 14:51
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43952
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.3||LOW
EPSS-0.25% / 48.03%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:06
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC version 7.1.1 and below, version 7.0.3 and below, version 6.2.5 and below may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36637
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.27% / 50.18%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 16:50
Updated-18 Sep, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortiMail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40676
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-7.1||HIGH
EPSS-0.99% / 75.89%
||
7 Day CHG~0.00%
Published-07 Mar, 2023 | 16:04
Updated-23 Oct, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted http requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacFortiNAC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-39950
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.61% / 68.73%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortinet FortiAnalyzer, FortiManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40680
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.8||LOW
EPSS-0.29% / 52.11%
||
7 Day CHG~0.00%
Published-06 Dec, 2022 | 16:00
Updated-07 Nov, 2023 | 03:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOSFortiProxy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38373
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.91% / 74.87%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortideceptorFortinet FortiDeceptor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9288
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 15:14
Updated-25 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiWLC 8.5.1 allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the ESS profile or the Radius Profile.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlcFortinet FortiWLC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35851
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-8||HIGH
EPSS-0.70% / 71.00%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-25 Oct, 2024 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6646
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.35%
||
7 Day CHG~0.00%
Published-17 Mar, 2020 | 12:49
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiwebFortinet FortiWeb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6647
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.36% / 57.05%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 18:41
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiadc_firmwareFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6640
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 12:47
Updated-25 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortianalyzerFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29057
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.26%
||
7 Day CHG~0.00%
Published-18 Jul, 2022 | 16:41
Updated-22 Oct, 2024 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiedrFortinet FortiEDR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26114
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.83% / 73.57%
||
7 Day CHG+0.14%
Published-06 Sep, 2022 | 15:15
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortinet FortiMail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36555
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.9||LOW
EPSS-0.12% / 32.34%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 16:48
Updated-18 Sep, 2024 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiOS 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via the SAML and Security Fabric components.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortiOS
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41029
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.55% / 66.97%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 11:29
Updated-25 Oct, 2024 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to store malicious javascript code in the device and trigger it via crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29183
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-7.3||HIGH
EPSS-0.77% / 72.53%
||
7 Day CHG~0.00%
Published-13 Sep, 2023 | 12:29
Updated-22 Oct, 2024 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortiOSFortiProxy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12815
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 40.39%
||
7 Day CHG~0.00%
Published-24 Sep, 2020 | 13:33
Updated-25 Oct, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortitesterFortinet FortiTester
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12814
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.50% / 65.01%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 17:56
Updated-25 Oct, 2024 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6699
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.18%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 15:06
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44166
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.17% / 39.09%
||
7 Day CHG~0.00%
Published-02 Mar, 2022 | 10:00
Updated-22 Oct, 2024 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortitoken_mobileFortinet FortiTokenAndroid
CVE-2019-17651
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 00:44
Updated-25 Oct, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisiemFortinet FortiSIEM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-15706
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4||MEDIUM
EPSS-0.03% / 8.46%
||
7 Day CHG~0.00%
Published-17 Mar, 2025 | 13:05
Updated-17 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2.0.0, version 1.2.9 and below and FortiOS version 6.2.1 and below, version 6.0.8 and below, version 5.6.12 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS).

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiOSFortiProxy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43080
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.47% / 63.55%
||
7 Day CHG+0.08%
Published-06 Sep, 2022 | 15:15
Updated-22 Oct, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortinet FortiOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42752
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.28%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 11:53
Updated-25 Oct, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute malicious javascript code on victim's host via crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22638
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.64% / 69.48%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 18:07
Updated-23 Oct, 2024 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, 8.3.7 and below may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacFortiNAC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24014
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.44% / 62.44%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 18:11
Updated-25 Oct, 2024 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortinet FortiSandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-38379
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-3.4||LOW
EPSS-0.39% / 58.94%
||
7 Day CHG~0.00%
Published-06 Dec, 2022 | 16:00
Updated-07 Nov, 2023 | 03:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisoarFortiSOAR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48893
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 24.19%
||
7 Day CHG+0.03%
Published-14 Jan, 2025 | 14:08
Updated-03 Feb, 2025 | 22:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisoarFortiSOAR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15940
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.25% / 48.40%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 17:49
Updated-25 Oct, 2024 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlient_enterprise_management_serverFortinet FortiClientEMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-6643
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.64%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 21:20
Updated-25 Oct, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS).

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiisolatorFortinet FortiIsolator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-1355
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.02%
||
7 Day CHG~0.00%
Published-27 Jun, 2018 | 20:00
Updated-25 Oct, 2024 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An open redirect vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows attacker to inject script code during converting a HTML table to a PDF document under the FortiView feature. An attacker may be able to social engineer an authenticated user into generating a PDF file containing injected malicious URLs.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortinet FortiManager, FortiAnalyzer
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-23664
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.25% / 47.71%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 09:50
Updated-21 Jan, 2025 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A URL redirection to untrusted site ('open redirect') in Fortinet FortiAuthenticator version 6.6.0, version 6.5.3 and below, version 6.4.9 and below may allow an attacker to to redirect users to an arbitrary website via a crafted URL.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiauthenticatorFortiAuthenticatorfortiauthenticator
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2018-13384
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 57.50%
||
7 Day CHG~0.00%
Published-04 Jun, 2019 | 20:38
Updated-25 Oct, 2024 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortinet FortiOS
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-43950
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.9||LOW
EPSS-0.15% / 36.60%
||
7 Day CHG~0.00%
Published-03 May, 2023 | 21:26
Updated-22 Oct, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A URL redirection to untrusted site ('Open Redirect') vulnerability [CWE-601] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.1 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an unauthenticated attacker to redirect users to any arbitrary website via a crafted URL.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacfortinac-fFortiNAC
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2017-7343
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 41.88%
||
7 Day CHG~0.00%
Published-26 May, 2017 | 22:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An open redirect vulnerability in Fortinet FortiPortal 4.0.0 and below allows attacker to execute unauthorized code or commands via the url parameter.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortinet FortiPortal
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2017-3126
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.52%
||
7 Day CHG~0.00%
Published-26 May, 2017 | 22:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Open Redirect vulnerability in Fortinet FortiAnalyzer 5.4.0 through 5.4.2 and FortiManager 5.4.0 through 5.4.2 allows attacker to execute unauthorized code or commands via the next parameter.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzer_firmwarefortimanager_firmwareFortinet FortiAnalyzer, FortiManager
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2021-43064
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 12:33
Updated-25 Oct, 2024 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to use the device as a proxy and reach external or protected hosts via redirection handlers.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortinet FortiWeb
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2019-6696
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 41.88%
||
7 Day CHG~0.00%
Published-15 Mar, 2020 | 22:03
Updated-25 Oct, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortinet FortiOS
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-20
Improper Input Validation
CVE-2018-8813
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-1.44% / 79.92%
||
7 Day CHG~0.00%
Published-04 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 07:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect vulnerability in the login[redirect] parameter login functionality in WolfCMS 0.8.3.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL.

Action-Not Available
Vendor-wolfcmsn/a
Product-wolf_cmsn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2023-2000
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.13% / 33.11%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 08:57
Updated-06 Dec, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted navigation due to unvalidated mattermost server redirection

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2023-0552
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-11.68% / 93.41%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 15:24
Updated-18 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pie Register < 3.8.2.3 - Open Redirect

The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability

Action-Not Available
Vendor-genetechsolutionsUnknown
Product-pie_registerRegistration Forms
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2021-3851
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5||MEDIUM
EPSS-0.17% / 38.58%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 12:30
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect in firefly-iii/firefly-iii

firefly-iii is vulnerable to URL Redirection to Untrusted Site

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found