CVE-2022-38373

Name of the Vulnerable Software and Affected Versions FortiDeceptor versions 4.0.2, 4.1.0 through 4.1.1, 4.2.0

Description The issue is related to an improper neutralization of input during web page generation, which may allow an authenticated user to perform a cross-site scripting (XSS) attack. This can be achieved by sending requests with specially crafted lure resource ID. The vulnerability can be exploited by a remote attacker to conduct spoofing attacks.

Recommendations For FortiDeceptor version 4.0.2, update to a version that includes the fix for this issue. For FortiDeceptor versions 4.1.0 through 4.1.1, update to a version that includes the fix for this issue. For FortiDeceptor version 4.2.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the management interface to minimize the risk of exploitation.