Details of VAR-202205-0509

ID

VAR-202205-0509

CVE

CVE-2021-43081

TITLE

FortiOS and FortiProxy Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011202

DESCRIPTION

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0. and in FortiProxy version 7.0.1 and below, 2.0.7 to 2.0.0 web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests. FortiOS and FortiProxy Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiProxy SSL VPN is an application software of the United States (Fortinet) company. An intrusion detection function is provided. Fortinet FortiProxy SSL VPN has a cross-site scripting vulnerability, which results from insufficient sanitization of user-supplied data, allowing remote attackers to steal potentially sensitive information, change the appearance of web pages, and perform phishing and drive-by download attacks

Trust: 1.8

sources: NVD: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // VULHUB: VHN-404131 // VULMON: CVE-2021-43081

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortios	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lt	version:	6.4.9	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	6.0.14	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	6.2.10	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lt	version:	7.0.2	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiproxy	scope:	lt	version:	2.0.8	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lt	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	フォーティネット	model:	fortios	scope:	lte	version:	6.4.8 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortiproxy	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	lte	version:	7.0.3 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	lte	version:	6.2.10 and earlier	Trust: 0.8
vendor:	フォーティネット	model:	fortios	scope:	eq	version:	6.0.0 to 6.0.14	Trust: 0.8

sources: JVNDB: JVNDB-2022-011202 // NVD: CVE-2021-43081

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43081
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2021-43081
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-43081
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202205-1938
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-404131
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-43081
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-43081
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-404131
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-43081
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-011202
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081 // NVD: CVE-2021-43081

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-404131 // JVNDB: JVNDB-2022-011202 // NVD: CVE-2021-43081

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-1938

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-1938

PATCH

title:	FG-IR-21-230	url:	https://www.fortiguard.com/psirt/FG-IR-21-230	Trust: 0.8
title:	Fortinet FortiProxy SSL VPN Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191268	Trust: 0.6

sources: JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43081	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-011202	Trust: 0.8
db:	CS-HELP	id:	SB2022050317	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-1938	Trust: 0.6
db:	CNVD	id:	CNVD-2022-50948	Trust: 0.1
db:	VULHUB	id:	VHN-404131	Trust: 0.1
db:	VULMON	id:	CVE-2021-43081	Trust: 0.1

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-21-230	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43081	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022050317	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortios-cross-site-scripting-via-web-filter-block-override-form-38208	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-43081/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081

SOURCES

db:	VULHUB	id:	VHN-404131
db:	VULMON	id:	CVE-2021-43081
db:	JVNDB	id:	JVNDB-2022-011202
db:	CNNVD	id:	CNNVD-202205-1938
db:	NVD	id:	CVE-2021-43081

LAST UPDATE DATE

2024-08-14T14:55:28.559000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-404131	date:	2022-05-19T00:00:00
db:	VULMON	id:	CVE-2021-43081	date:	2022-05-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-011202	date:	2023-08-21T04:42:00
db:	CNNVD	id:	CNNVD-202205-1938	date:	2022-05-20T00:00:00
db:	NVD	id:	CVE-2021-43081	date:	2022-05-19T02:25:38.847

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-404131	date:	2022-05-11T00:00:00
db:	VULMON	id:	CVE-2021-43081	date:	2022-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2022-011202	date:	2023-08-21T00:00:00
db:	CNNVD	id:	CNNVD-202205-1938	date:	2022-05-03T00:00:00
db:	NVD	id:	CVE-2021-43081	date:	2022-05-11T15:15:08.603