CVE-2021-26092: 
FortiOS vulnerability analysis and mitigation

A reflected Cross-site Scripting (XSS) vulnerability (CVE-2021-26092) was discovered in the SSL VPN web portal of FortiOS and FortiProxy systems. The vulnerability affects FortiOS versions 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4, and FortiProxy versions 1.2.0 through 1.2.9, 2.0.0 through 2.0.1. The vulnerability was disclosed on January 25, 2021 (CVE MITRE).

The vulnerability stems from a failure to properly sanitize input in the SSL VPN web portal. The issue allows remote unauthenticated attackers to perform a reflected Cross-site Scripting (XSS) attack by sending requests to the error page with malicious GET parameters. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NVD and 4.7 (Medium) by Fortinet (NVD NIST).

If successfully exploited, this vulnerability could lead to unauthorized code execution and potential compromise of user data through cross-site scripting attacks. The vulnerability primarily affects the confidentiality and integrity of the system, with no direct impact on availability (NVD NIST).

Fortinet has released security patches to address this vulnerability. Users are advised to upgrade to the latest versions of their respective FortiOS and FortiProxy installations (Fortinet Advisory).