Cybersecurity specialists reported the finding of two vulnerabilities in Fortinet FortiPortal. According to the report, successful exploitation of these flaws would allow the deployment of multiple attack scenarios.

Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-36176: The improper sanitization of user-supplied data in both the customer and provider interfaces would allow remote threat actors to send specially crafted links to target users and run arbitrary HTML and scripts code in users’ browsers.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-32595: The affected application does not properly control consumption of internal resources in the web interface, which would allow remote malicious hackers to trigger a denial of service (DoS) condition.

This is a medium severity flaw and received a CVSS score of 6.7/10.

Experts mention that the flaws reside in the following versions of FortiPortal: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.1.2, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4 & 6.0.5.

Cybersecurity specialists recommend affected implementations’ admins to install the last updates as soon as possible to mitigate the exploitation risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 2 critical vulnerabilities in Fortinet FortiPortal appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

Exploitation code for the zero-day vulnerability in Spring Framework for Java applications is published. New Log4Shell flaw

Cybersecurity specialists reported a new critical zero-day vulnerability in the Spring Core…

Zero-day vulnerabilities in Netatalk affect NAS products from Synology, QNAP and Western Digital. Protect your storage solutions before they’re encrypted with ransomware

Several manufacturers of network-attached storage (NAS) solutions have alerted their customers to…