ID

VAR-202205-0509


CVE

CVE-2021-43081


TITLE

FortiOS  and  FortiProxy  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011202

DESCRIPTION

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0. and in FortiProxy version 7.0.1 and below, 2.0.7 to 2.0.0 web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests. FortiOS and FortiProxy Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiProxy SSL VPN is an application software of the United States (Fortinet) company. An intrusion detection function is provided. Fortinet FortiProxy SSL VPN has a cross-site scripting vulnerability, which results from insufficient sanitization of user-supplied data, allowing remote attackers to steal potentially sensitive information, change the appearance of web pages, and perform phishing and drive-by download attacks

Trust: 1.8

sources: NVD: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // VULHUB: VHN-404131 // VULMON: CVE-2021-43081

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:6.4.9

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:2.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.14

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.10

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:ltversion:7.0.2

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:ltversion:2.0.8

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:7.0.4

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope:lteversion:6.4.8 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortiproxyscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:lteversion:7.0.3 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:lteversion:6.2.10 and earlier

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.0.0 to 6.0.14

Trust: 0.8

sources: JVNDB: JVNDB-2022-011202 // NVD: CVE-2021-43081

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-43081
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2021-43081
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-43081
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202205-1938
value: MEDIUM

Trust: 0.6

VULHUB: VHN-404131
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-43081
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-43081
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-404131
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-43081
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-011202
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081 // NVD: CVE-2021-43081

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-404131 // JVNDB: JVNDB-2022-011202 // NVD: CVE-2021-43081

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-1938

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-1938

PATCH

title:FG-IR-21-230url:https://www.fortiguard.com/psirt/FG-IR-21-230

Trust: 0.8

title:Fortinet FortiProxy SSL VPN Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191268

Trust: 0.6

sources: JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938

EXTERNAL IDS

db:NVDid:CVE-2021-43081

Trust: 3.4

db:JVNDBid:JVNDB-2022-011202

Trust: 0.8

db:CS-HELPid:SB2022050317

Trust: 0.6

db:CNNVDid:CNNVD-202205-1938

Trust: 0.6

db:CNVDid:CNVD-2022-50948

Trust: 0.1

db:VULHUBid:VHN-404131

Trust: 0.1

db:VULMONid:CVE-2021-43081

Trust: 0.1

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-230

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-43081

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022050317

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortios-cross-site-scripting-via-web-filter-block-override-form-38208

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-43081/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-404131 // VULMON: CVE-2021-43081 // JVNDB: JVNDB-2022-011202 // CNNVD: CNNVD-202205-1938 // NVD: CVE-2021-43081

SOURCES

db:VULHUBid:VHN-404131
db:VULMONid:CVE-2021-43081
db:JVNDBid:JVNDB-2022-011202
db:CNNVDid:CNNVD-202205-1938
db:NVDid:CVE-2021-43081

LAST UPDATE DATE

2024-08-14T14:55:28.559000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-404131date:2022-05-19T00:00:00
db:VULMONid:CVE-2021-43081date:2022-05-19T00:00:00
db:JVNDBid:JVNDB-2022-011202date:2023-08-21T04:42:00
db:CNNVDid:CNNVD-202205-1938date:2022-05-20T00:00:00
db:NVDid:CVE-2021-43081date:2022-05-19T02:25:38.847

SOURCES RELEASE DATE

db:VULHUBid:VHN-404131date:2022-05-11T00:00:00
db:VULMONid:CVE-2021-43081date:2022-05-11T00:00:00
db:JVNDBid:JVNDB-2022-011202date:2023-08-21T00:00:00
db:CNNVDid:CNNVD-202205-1938date:2022-05-03T00:00:00
db:NVDid:CVE-2021-43081date:2022-05-11T15:15:08.603