CVE-2025-31366

Summary

An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiProxy7.6.0 <= 7.6.3affected
FortinetFortiProxy7.4.0 <= 7.4.8affected
FortinetFortiProxy7.2.0 <= 7.2.15affected
FortinetFortiProxy7.0.0 <= 7.0.22affected
FortinetFortiSASE25.2.aaffected
FortinetFortiOS7.6.0 <= 7.6.2affected
FortinetFortiOS7.4.0 <= 7.4.7affected
FortinetFortiOS7.2.0 <= 7.2.12affected
FortinetFortiOS7.0.0 <= 7.0.18affected
FortinetFortiOS6.4.0 <= 6.4.16affected

Weaknesses

  • CWE-79: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Additional References

References