CVE-2022-41330

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 6.4.0 through 6.4.11 Fortinet FortiOS versions 7.0.0 through 7.0.9 Fortinet FortiOS versions 7.2.0 through 7.2.3 Fortinet FortiOS versions before 6.2.12 FortiProxy versions 7.0.0 through 7.0.6 FortiProxy versions 7.2.0 through 7.2.1

Description The issue is related to an improper neutralization of input during web page generation, which allows an unauthenticated attacker to perform a Cross-site Scripting (XSS) attack via crafted HTTP GET requests. This can be exploited by sending specially crafted HTTP or HTTPS GET requests to the administrative interface of FortiOS and FortiProxy.

Recommendations For Fortinet FortiOS versions 6.4.0 through 6.4.11, update to a version outside of this range to resolve the issue. For Fortinet FortiOS versions 7.0.0 through 7.0.9, update to a version outside of this range to resolve the issue. For Fortinet FortiOS versions 7.2.0 through 7.2.3, update to a version outside of this range to resolve the issue. For Fortinet FortiOS versions before 6.2.12, update to a version 6.2.12 or later to resolve the issue. For FortiProxy versions 7.0.0 through 7.0.6, update to a version 7.0.7 or later to resolve the issue. For FortiProxy versions 7.2.0 through 7.2.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the administrative interface of FortiOS and FortiProxy to minimize the risk of exploitation.