Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30304: Fortiguard

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.

CVE
Open in Source
#xss#vulnerability#web#js#auth

** PSIRT Advisories**

FortiAnalyzer - XSS vulnerability due to AngularJS Client-Side Template injection

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.

Affected Products

FortiAnalyzer version 7.2.0 through 7.2.1.
FortiAnalyzer version 7.0.0 through 7.0.4
FortiAnalyzer version 6.4.0 through 6.4.8
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.0.0 through 6.0.11

Solutions

Please upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.5 or above
Please upgrade to FortiAnalyzer version 6.4.9 or above

Acknowledgement

Fortinet is pleased to thank Robertino Bristiel and Michał Janczyk from NASK SA for reporting this vulnerability under responsible disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE