CVE-2022-41336

Name of the Vulnerable Software and Affected Versions FortiPortal versions 5.0 through 5.3 FortiPortal versions 6.0.0 through 6.0.11

Description The issue is related to an improper neutralization of input during web page generation, which may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack. This can be achieved by sending a request with a specially crafted columnindex parameter.

Recommendations For FortiPortal versions 5.0 through 5.3, update to a version that includes the fix for this issue. For FortiPortal versions 6.0.0 through 6.0.11, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the management interface to minimize the risk of exploitation. Avoid using the columnindex parameter in the affected API endpoint until the issue is resolved.