CVE-2022-39950

moderate-risk
Published 2022-11-02

An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281.

Do I need to act?

-
0.73% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Fortinet

References (2)

Vendor Advisory https://fortiguard.com/psirt/FG-IR-21-228
Vendor Advisory https://fortiguard.com/psirt/FG-IR-21-228
37
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 2/34 · Minimal
Exposure 7/34 · Low