La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-40680

CVE-2022-40680 – Fortinet FortiOS

Vulnerability Description: Stored Cross-Site Scripting - CWE-79

Software Version: FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40680

CVSv3: 5.4

Severity: Medium

Credits: Massimiliano Ferraresi, Massimiliano Brolli

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.

Step-by-step instructions and PoC

Vulnerability can be reproduce through the following actions.

An attacker with system permission can inject arbitrary javascript code in the Replacement Messages pages.

Figure 3 Replacement Messages function

 

Click to Enlarge

An attacker have to open and modify a page like “FortiGuard Block Page”:

Figure 4 Source of “FortiguardBlockPage”

 

Click to Enlarge

In the HTML source I tried to inject arbitrary javascript code, but with simple payload <script>alert(1);</script> the application did not execute anything:

Figure 5 Simple Payload injected

 

Click to Enlarge

Probably the application satinizes the <script></script> content and does not execute the javascript code inside these tags, however with a custom payload like <image/src/onerror=prompt("XSS")> is possible to execute arbitrary javascript code:

·       <image/src/onerror=prompt("XSS")>

Figure 6 XSS

 

Click to Enlarge

Click on “ok” and save the setting, the malicious code now is stored in the FortiGuardBlockPage,  if the user visit this page the arbitrary javascript code will execute:

Figure 7 Malicious javascript stored in the body

 

Click to Enlarge

Security Impact

A potential attacker could modify the vulnerable web page with malicious javascript code permanently, thereby attacking anyone who visits the page.