CVE-2021-32602

Name of the Vulnerable Software and Affected Versions FortiPortal GUI versions 6.0.4 and below FortiPortal GUI versions 5.3.6 and below FortiPortal GUI versions 5.2.6 and below FortiPortal GUI versions 5.1.2 and below FortiPortal GUI versions 5.0.3 and below FortiPortal GUI versions 4.2.2 and below FortiPortal GUI versions 4.1.2 and below FortiPortal GUI versions 4.0.4 and below

Description The issue is related to an improper neutralization of input during web page generation, which may allow a remote and unauthenticated attacker to perform an XSS attack. This can be achieved by sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value.

Recommendations For FortiPortal GUI versions 6.0.4 and below, update to a version above 6.0.4 to resolve the issue. For FortiPortal GUI versions 5.3.6 and below, update to a version above 5.3.6 to resolve the issue. For FortiPortal GUI versions 5.2.6 and below, update to a version above 5.2.6 to resolve the issue. For FortiPortal GUI versions 5.1.2 and below, update to a version above 5.1.2 to resolve the issue. For FortiPortal GUI versions 5.0.3 and below, update to a version above 5.0.3 to resolve the issue. For FortiPortal GUI versions 4.2.2 and below, update to a version above 4.2.2 to resolve the issue. For FortiPortal GUI versions 4.1.2 and below, update to a version above 4.1.2 to resolve the issue. For FortiPortal GUI versions 4.0.4 and below, update to a version above 4.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the lang parameter and the org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value to minimize the risk of exploitation.