AnĀ improper neutralization of special elements in output used by a downstream component (Injection) vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.
Weakness
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortiproxy | Fortinet | 7.0.0 (including) | 7.0.17 (excluding) |
| Fortiproxy | Fortinet | 7.2.0 (including) | 7.2.10 (excluding) |
| Fortiproxy | Fortinet | 7.4.0 (including) | 7.4.4 (excluding) |
| Fortios | Fortinet | 7.0.0 (including) | 7.2.9 (excluding) |
| Fortios | Fortinet | 7.4.0 (including) | 7.4.4 (excluding) |