Description
Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMail Identity-Based Encryption (IBE) appliances allow user-assisted remote attackers to inject arbitrary web script or HTML via (1) the Add field for the Black List under Antispam Management User Preferences or (2) the User name field for the Personal Black/White List in the AntiSpam section.
Exploits (1)
exploitdb
WRITEUP
by Vulnerability-Lab · textwebappshardware
https://www.exploit-db.com/exploits/24435
References (3)
Core 3
Core References
Various Sources x_refsource_misc
http://www.vulnerability-lab.com/get_content.php?id=701
Exploit x_refsource_misc
http://www.youtube.com/watch?v=5d7cIaM80oY
Vendor Advisory x_refsource_confirm
http://www.fortiguard.com/advisory/FG-IR-013-001.html
Scores
EPSS
0.0490
EPSS Percentile
89.7%
Details
CWE
CWE-79
Status
published
Products (3)
fortinet/fortimail
3.0 mr2 (4 CPE variants)
fortinet/fortimail
4.0 (3 CPE variants)
fortinet/fortimail
< 4.0
Published
Feb 04, 2013
Tracked Since
Feb 18, 2026