PT-2021-15648 · Fortinet · Fortianalyzer
Published
2021-10-06
·
Updated
2021-10-14
·
CVE-2021-24021
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
FortiAnalyzer versions 6.0.10 and below
FortiAnalyzer versions 6.2.7 and below
FortiAnalyzer versions 6.4.3 and below
Description:
The issue is related to an improper neutralization of input, which may allow a remote authenticated attacker to perform a stored cross-site scripting attack via the column settings of Logview in FortiAnalyzer. This could happen if the attacker can obtain a specific POST request, potentially through other hypothetical attacks.
Recommendations:
For FortiAnalyzer versions 6.0.10 and below, update to a version above 6.0.10 to resolve the issue.
For FortiAnalyzer versions 6.2.7 and below, update to a version above 6.2.7 to resolve the issue.
For FortiAnalyzer versions 6.4.3 and below, update to a version above 6.4.3 to resolve the issue.
As a temporary workaround, consider restricting access to the Logview column settings in FortiAnalyzer to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortianalyzer