Skip to main content

Fortinac CVE-2023-22638

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-02-16 psirt@fortinet.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 16, 2023 - 19:15 nvd
MEDIUM 5.4

DescriptionNVD

Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, 8.3.7 and below may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests.

AnalysisAI

Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, 8.3.7 and below may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests. Affected products include: Fortinet Fortinac.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-43065 HIGH POC
7.8 Dec 09

A incorrect permission assignment for critical resource in Fortinet FortiNAC version 9.2.0, version 9.1.3 and below, ver

CVE-2023-33299 CRITICAL
9.8 Jun 23

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions

CVE-2024-31488 CRITICAL
9.0 May 14

An improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC version 9.4.0 through

CVE-2023-22637 CRITICAL
9.0 May 03

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiN

CVE-2022-26117 HIGH
8.8 Jul 18

An empty password in configuration file vulnerability [CWE-258] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.

CVE-2022-26116 HIGH
8.8 May 11

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in Fo

CVE-2023-26203 HIGH
7.8 May 03

A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9

CVE-2023-22633 HIGH
7.5 Jun 13

An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and

CVE-2021-24011 HIGH
7.2 May 10

A privilege escalation vulnerability in FortiNAC version below 8.8.2 may allow an admin user to escalate the privileges

CVE-2021-41021 MEDIUM
6.7 Dec 08

A privilege escalation vulnerability in FortiNAC versions 8.8.8 and below and 9.1.2 and below may allow an admin user to

CVE-2020-12816 MEDIUM
6.1 Sep 24

An improper neutralization of input vulnerability in FortiNAC before 8.7.2 may allow a remote authenticated attacker to

CVE-2019-5594 MEDIUM
6.1 Aug 23

An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.

Share

CVE-2023-22638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy