CVE-2022-39954
HIGHFortiNAC 8.3.7-9.4.1 - XML External Entity Injection via Crafted XML Documents
Title source: llmDescription
An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.
References (1)
Core 1
Core References
Vendor Advisory
https://fortiguard.com/psirt/FG-IR-22-304
Scores
CVSS v3
7.3
EPSS
0.0033
EPSS Percentile
56.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (2)
fortinet/fortinac
8.3.7 - 9.2.7
fortinet/fortinac-f
< 7.2.0
Published
Feb 16, 2023
Tracked Since
Feb 18, 2026