CVE-2021-32585 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-32585?

CVE-2021-32585 has a CVSS score of 7.2 (HIGH). This stored cross-site scripting (XSS) vulnerability in FortiWAN allows attackers to inject malicious scripts into web pages via crafted HTTP requests. When users view these compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Organizations running vulnerable FortiWAN versions are affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in FortiWAN allows attackers to inject malicious scripts into web pages via crafted HTTP requests. When users view these compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Organizations running vulnerable FortiWAN versions are affected.

💻 Affected Systems

Products:

FortiWAN

Versions: All versions before 4.5.9

Operating Systems: FortiWAN OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface; requires attacker access to submit crafted HTTP requests.

📦 What is this software?

Fortiwan by Fortinet

View all CVEs affecting Fortiwan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, deploy malware to users' browsers, or pivot to internal network resources.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the FortiWAN management interface.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though stored XSS remains dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to send HTTP requests to the FortiWAN interface; stored XSS payloads persist until cleaned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.9 and later

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-21-078

Restart Required: Yes

Instructions:

1. Backup configuration. 2. Download FortiWAN 4.5.9 or later from Fortinet support portal. 3. Upload and apply firmware update via web interface or CLI. 4. Reboot device.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side validation and encoding for user inputs in web applications.

Restrict Access to Management Interface

all

Limit access to FortiWAN web interface to trusted IPs/networks.

Configure firewall rules to allow only specific source IPs to TCP/443 (HTTPS) on FortiWAN.

🧯 If You Can't Patch

Isolate FortiWAN management interface to a dedicated VLAN with strict access controls.
Implement a web application firewall (WAF) with XSS protection rules in front of FortiWAN.

🔍 How to Verify

Check if Vulnerable:

Check FortiWAN firmware version via web interface (System > Status) or CLI command 'get system status'.

Check Version:

get system status | grep Version

Verify Fix Applied:

Confirm version is 4.5.9 or higher; test input fields for XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to FortiWAN web endpoints with script tags or JavaScript in parameters.

Network Indicators:

HTTP traffic to FortiWAN containing XSS payload patterns (e.g., <script>, javascript:).

SIEM Query:

source="fortiwan" AND (http_method="POST" AND url="*" AND (body="*<script>*" OR body="*javascript:*"))

📊 Metadata

CVE ID: CVE-2021-32585

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: April 6, 2022

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-21-078 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-21-078 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32585, you might also want to check these: