First published: Tue Nov 02 2021(Updated: )
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.
Credit: psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiPortal | >=4.0.0<=4.0.4 | |
Fortinet FortiPortal | >=4.1.0<=4.1.2 | |
Fortinet FortiPortal | >=4.2.0<=4.2.4 | |
Fortinet FortiPortal | >=5.0.0<=5.0.3 | |
Fortinet FortiPortal | >=5.1.0<=5.1.2 | |
Fortinet FortiPortal | >=5.2.0<=5.2.6 | |
Fortinet FortiPortal | >=5.3.0<5.3.7 | |
Fortinet FortiPortal | >=6.0.0<6.0.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-36172 is considered a medium severity vulnerability due to its potential to cause denial of service and unauthorized file access.
To fix CVE-2021-36172, update FortiPortal to version 6.0.6 or later.
CVE-2021-36172 allows attackers to trigger denial of service and read arbitrary files from the underlying file system.
FortiPortal versions 4.0.0 to 4.0.4, 4.1.0 to 4.1.2, 4.2.0 to 4.2.4, 5.0.0 to 5.0.3, 5.1.0 to 5.1.2, 5.2.0 to 5.2.6, 5.3.0 to 5.3.7, and all versions below 6.0.6 are affected by CVE-2021-36172.
There are currently no known workarounds for CVE-2021-36172 besides updating to the patched version.