CVE-2021-26087

Published: Mar 17, 2025Modified: Jul 24, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An improper neutralization of input during web page generation in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 web interface may allow both authenticated remote attackers and non-authenticated attackers in the same network as the appliance to perform a stored cross site scripting attack (XSS) via injecting malicious payloads in different locations.

Affected (4)

Products: Fortinet: Fortiwlc

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortiwlc	From 8.4.0 to 8.4.2
Fortinet Fortiwlc	From 8.4.4 to 8.5.4
Fortinet Fortiwlc	Version 8.3.3
Fortinet Fortiwlc	Version 8.6.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-20-137

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.