CVE-2021-43063

MEDIUM

FortiWeb 6.2.0-6.2.6, 6.3.0-6.3.15, 6.4.0-6.4.1 - Cross-Site Scripting via Login Page HTTP GET Request

Title source: llm
STIX 2.1

Description

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://fortiguard.com/advisory/FG-IR-21-122

Scores

CVSS v3 6.1
EPSS 0.0077
EPSS Percentile 73.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
fortinet/fortiweb 6.4.0
fortinet/fortiweb 6.4.1
fortinet/fortiweb 6.2.0 - 6.2.6
Published Dec 08, 2021
Tracked Since Feb 18, 2026