CVE-2022-40676: 
FortiNAC vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability (CVE-2022-40676) was discovered in Fortinet FortiNAC's GUI component. The vulnerability, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation), affects multiple versions including 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.8, and all versions 8.8, 8.7, 8.6, 8.5, and 8.3. The vulnerability was internally discovered by Gwendal Guégniaud of Fortinet Product Security team and was initially published on March 7, 2023 (Fortinet Advisory).

The vulnerability is characterized by improper neutralization of input during web page generation, which could allow an authenticated user to perform a cross-site scripting attack through specially crafted HTTP requests. The severity is rated as High with a CVSSv3 score of 7.1. According to the National Vulnerability Database, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required user interaction (NVD).

The exploitation of this vulnerability could allow attackers to execute unauthorized code or commands via specially crafted HTTP requests. This could potentially lead to unauthorized access to sensitive information, manipulation of web content, and compromise of user sessions (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Organizations are advised to upgrade to the following versions: FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.9 or above, or FortiNAC version 7.2.0 or above (Fortinet Advisory).