CVE-2021-32602
low-risk
Published 2021-08-19
An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value.
Do I need to act?
-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.8/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (2)
Vendor Advisory
https://fortiguard.com/advisory/FG-IR-20-066
Vendor Advisory
https://fortiguard.com/advisory/FG-IR-20-066
29
/ 100
low-risk
Severity
22/34 · High
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal