Cybersecurity specialists reported the finding of two vulnerabilities in Fortinet FortiPortal. According to the report, successful exploitation of these flaws would allow the deployment of multiple attack scenarios.
Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).
CVE-2021-36176: The improper sanitization of user-supplied data in both the customer and provider interfaces would allow remote threat actors to send specially crafted links to target users and run arbitrary HTML and scripts code in users’ browsers.
This is a low severity flaw and received a CVSS score of 5.3/10.
CVE-2021-32595: The affected application does not properly control consumption of internal resources in the web interface, which would allow remote malicious hackers to trigger a denial of service (DoS) condition.
This is a medium severity flaw and received a CVSS score of 6.7/10.
Experts mention that the flaws reside in the following versions of FortiPortal: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.1.2, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4 & 6.0.5.
Cybersecurity specialists recommend affected implementations’ admins to install the last updates as soon as possible to mitigate the exploitation risk.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.