2 critical vulnerabilities in Fortinet FortiPortal

Cybersecurity specialists reported the finding of two vulnerabilities in Fortinet FortiPortal. According to the report, successful exploitation of these flaws would allow the deployment of multiple attack scenarios.

Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-36176: The improper sanitization of user-supplied data in both the customer and provider interfaces would allow remote threat actors to send specially crafted links to target users and run arbitrary HTML and scripts code in users’ browsers.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-32595: The affected application does not properly control consumption of internal resources in the web interface, which would allow remote malicious hackers to trigger a denial of service (DoS) condition.

This is a medium severity flaw and received a CVSS score of 6.7/10.

Experts mention that the flaws reside in the following versions of FortiPortal: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.1.2, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4 & 6.0.5.

Cybersecurity specialists recommend affected implementations’ admins to install the last updates as soon as possible to mitigate the exploitation risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.