CVE-2022-30304

2023-02-1619:15:12

CWE-79

[email protected]

web.nvd.nist.gov

fortianalyzer

input neutralization

cwe-79

web page generation

xss

fortiweb

attack event.

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

49.8%

JSON

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.

Affected configurations

Nvd

Node

fortinetfortianalyzerRange6.0.0–6.0.11

fortinetfortianalyzerRange6.2.0–6.2.9

fortinetfortianalyzerRange6.4.0–6.4.9

fortinetfortianalyzerRange7.0.0–7.0.5

fortinetfortianalyzerMatch7.2.0

fortinetfortianalyzerMatch7.2.1

VendorProductVersionCPE
fortinetfortianalyzer*cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
fortinetfortianalyzer7.2.0cpe:2.3:a:fortinet:fortianalyzer:7.2.0:*:*:*:*:*:*:*
fortinetfortianalyzer7.2.1cpe:2.3:a:fortinet:fortianalyzer:7.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortianalyzer	*	cpe:2.3:a:fortinet:fortianalyzer::::::::
fortinet	fortianalyzer	7.2.0	cpe:2.3:a:fortinet:fortianalyzer:7.2.0:::::::*
fortinet	fortianalyzer	7.2.1	cpe:2.3:a:fortinet:fortianalyzer:7.2.1:::::::*