CVE-2021-26103
Severity CVSS v4.0:
Pending analysis
Type:
CWE-345
Insufficient Verification of Data Authenticity
Publication date:
08/12/2021
Last modified:
09/12/2021
Description
An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
5.10
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 1.2.0 (including) | 1.2.11 (including) |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.3 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 5.6.0 (including) | 5.6.14 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.0.13 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.2.9 (including) |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* | 6.4.0 (including) | 6.4.6 (including) |
| cpe:2.3:o:fortinet:fortios:7.0.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page