CVE-2022-38376: 
FortiNAC vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Fortinet FortiNAC portal UI versions before 9.4.1. The vulnerability, tracked as CVE-2022-38376, was disclosed on February 16, 2023. The issue affects multiple versions of FortiNAC including versions 8.3.7, 8.5.0 through 8.5.4, and 8.6.0 through 9.4.1 (NVD).

The vulnerability is classified as improper neutralization of input during web page generation (CWE-79). It allows attackers to perform cross-site scripting attacks through crafted HTTP requests to the FortiNAC portal UI. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

If successfully exploited, this vulnerability could allow attackers to execute malicious scripts in users' browsers, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. The CVSS metrics indicate low impact on both confidentiality and integrity, with no impact on availability (NVD).

Fortinet has addressed this vulnerability in FortiNAC version 9.4.1. Organizations using affected versions should upgrade to version 9.4.1 or later to mitigate this security risk (Fortiguard).