CVE-2023-22638: 
FortiNAC vulnerability analysis and mitigation

Several improper neutralization of inputs during web page generation vulnerabilities were discovered in FortiNAC versions 9.4.1 and below, affecting multiple version ranges including 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, and 8.3.7 and below. The vulnerability was assigned CVE-2023-22638 and was disclosed on January 5, 2023 (CVE MITRE).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue [CWE-79] that allows authenticated attackers to perform XSS attacks through crafted HTTP GET requests. The vulnerability has been assigned a CVSS v3.1 score of 6.7 (Medium severity) with the following vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD, FortiGuard).

If successfully exploited, this vulnerability could allow an authenticated attacker to perform cross-site scripting attacks, potentially leading to the execution of unauthorized code or commands in the context of the affected web application (FortiGuard).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the latest version of FortiNAC that contains the security fixes (FortiGuard).