CVE-2022-43955 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2022-43955?

CVE-2022-43955 has a CVSS score of 8.8 (HIGH). This vulnerability allows unauthenticated remote attackers to perform reflected cross-site scripting (XSS) attacks against FortiWeb web interfaces by injecting malicious payloads into log entries used for report generation. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All FortiWeb versions from 6.0 through 7.0.3 are affected.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to perform reflected cross-site scripting (XSS) attacks against FortiWeb web interfaces by injecting malicious payloads into log entries used for report generation. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All FortiWeb versions from 6.0 through 7.0.3 are affected.

💻 Affected Systems

Products:

FortiWeb Web Application Firewall

Versions: 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions

Operating Systems: FortiWeb OS

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations with web interface enabled are vulnerable. The vulnerability exists in the report generation functionality that processes log entries.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to FortiWeb, reconfigure security policies, disable protections, and pivot to internal networks.

🟠

Likely Case

Attackers steal user session cookies, perform actions as authenticated users, or redirect users to malicious sites for credential harvesting.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking users into clicking malicious links. No authentication is required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.4, 6.3.22, and later versions

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-428

Restart Required: Yes

Instructions:

1. Log into FortiWeb web interface as administrator. 2. Navigate to System > Dashboard > Status. 3. Check current firmware version. 4. Download appropriate firmware from Fortinet support portal. 5. Navigate to System > Maintenance > Firmware. 6. Upload and install new firmware. 7. Reboot device after installation completes.

🔧 Temporary Workarounds

Disable Web Interface

all

Temporarily disable the FortiWeb web interface to prevent exploitation while planning patching.

config system interface
edit port1
set allowaccess ping https ssh
next
end

Restrict Web Interface Access

all

Limit web interface access to trusted IP addresses only using firewall rules.

config firewall address
edit "trusted_admin"
set subnet 192.168.1.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf port1
set dstintf port1
set srcaddr "trusted_admin"
set dstaddr all
set service HTTPS
set action accept
next
end

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads in log entries.
Deploy network segmentation to isolate FortiWeb management interface from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check FortiWeb firmware version via web interface: System > Dashboard > Status. If version is within affected ranges, system is vulnerable.

Check Version:

get system status

Verify Fix Applied:

After patching, verify firmware version shows 7.0.4+, 6.3.22+, or later. Test by attempting to inject basic XSS payloads into log entries and checking if they're properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript or HTML injection attempts in web interface logs
Multiple failed login attempts followed by successful login from new IP
Unexpected report generation requests with suspicious parameters

Network Indicators:

HTTP requests containing script tags or JavaScript in URL parameters to FortiWeb interface
Outbound connections from FortiWeb to unexpected external domains

SIEM Query:

source="fortiweb" AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")

📊 Metadata

CVE ID: CVE-2022-43955

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: April 11, 2023

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-22-428 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-22-428 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43955, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortiweb by Fortinet

Fortiweb by Fortinet

Fortiweb by Fortinet

Fortiweb by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Web Interface

Restrict Web Interface Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities