CVE-2021-43081: 
FortiOS vulnerability analysis and mitigation

An improper neutralization of input during web page generation vulnerability [CWE-79] was discovered in FortiOS and FortiProxy web filter override form. The vulnerability, identified as CVE-2021-43081, was disclosed on May 3, 2022, affecting FortiOS versions 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0, and FortiProxy versions 7.0.1 and below, 2.0.7 to 2.0.0. The vulnerability was discovered by Tom Tervoort under responsible disclosure (Fortinet Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue that allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests. The severity is rated as Medium with a CVSS v3.1 Base Score of 6.1, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the web filter override form functionality in both FortiOS and FortiProxy products (NVD).

The exploitation of this vulnerability can lead to information disclosure and potential compromise of user data through cross-site scripting attacks. The attack requires user interaction but can be initiated by an unauthenticated attacker, potentially leading to unauthorized access to sensitive information (Fortinet Advisory).

Fortinet has released security patches to address this vulnerability. Users are advised to upgrade to FortiOS version 7.0.4 or above, FortiOS version 6.4.9 or above, FortiOS version 6.2.11 or above, FortiProxy version 7.0.2 or above, or FortiProxy version 2.0.8 or above (Fortinet Advisory).