CVE-2021-26103: CSRF
First published: Wed Dec 08 2021(Updated: )
An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy SSL VPN webmode | >=1.2.0<=1.2.11 | |
| Fortinet FortiProxy SSL VPN webmode | >=2.0.0<=2.0.3 | |
| FortiOS | >=5.6.0<=5.6.14 | |
| FortiOS | >=6.0.0<=6.0.13 | |
| FortiOS | >=6.2.0<=6.2.9 | |
| FortiOS | >=6.4.0<=6.4.6 | |
| FortiOS | =7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-26103?
CVE-2021-26103 is an insufficient verification of data authenticity vulnerability in the user interface of FortiProxy and FortiGate SSL VPN portal.
What is the severity of CVE-2021-26103?
The severity of CVE-2021-26103 is high with a CVSS score of 8.8.
Which software versions are affected by CVE-2021-26103?
FortiProxy versions up to 2.0.3, 1.2.11 and below are affected. Also, FortiGate versions 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.13 and below, and 5.6.14 and below are affected.
How does CVE-2021-26103 affect the user interface of FortiProxy and FortiGate SSL VPN portal?
CVE-2021-26103 allows a remote, unauthenticated attacker to conduct a cross-site scripting (XSS) attack on the user interface of FortiProxy and FortiGate SSL VPN portal.
Where can I find more information about CVE-2021-26103?
You can find more information about CVE-2021-26103 on the FortiGuard Advisory FG-IR-20-158.
- agent/type
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/severity
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fortinet
- canonical/fortinet fortiproxy ssl vpn webmode
- version/fortinet fortiproxy ssl vpn webmode/1.2.0
- version/fortinet fortiproxy ssl vpn webmode/1.2.11
- version/fortinet fortiproxy ssl vpn webmode/2.0.0
- version/fortinet fortiproxy ssl vpn webmode/2.0.3
- canonical/fortios
- version/fortios/5.6.0
- version/fortios/5.6.14
- version/fortios/6.0.0
- version/fortios/6.0.13
- version/fortios/6.2.0
- version/fortios/6.2.9
- version/fortios/6.4.0
- version/fortios/6.4.6
- version/fortios/7.0.0