{"api_version":"1","generated_at":"2026-05-06T22:01:31+00:00","cve":"CVE-2022-35850","urls":{"html":"https://cve.report/CVE-2022-35850","api":"https://cve.report/api/cve/CVE-2022-35850.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-35850","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-35850"},"summary":{"title":"CVE-2022-35850","description":"An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the \"reset-password\" page.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2023-04-11 17:15:00","updated_at":"2023-11-07 03:49:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://fortiguard.com/psirt/FG-IR-22-275","name":"https://fortiguard.com/psirt/FG-IR-22-275","refsource":"MISC","tags":["Vendor Advisory"],"title":"PSIRT Advisories | FortiGuard","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-35850","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35850","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"35850","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-35850","ASSIGNER":"psirt@fortinet.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the \"reset-password\" page."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Execute unauthorized code or commands","cweId":"CWE-80"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Fortinet","product":{"product_data":[{"product_name":"FortiAuthenticator","version":{"version_data":[{"version_affected":"<=","version_name":"6.4.0","version_value":"6.4.4"},{"version_affected":"<=","version_name":"6.3.0","version_value":"6.3.3"},{"version_affected":"<=","version_name":"6.2.0","version_value":"6.2.2"},{"version_affected":"<=","version_name":"6.1.0","version_value":"6.1.3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://fortiguard.com/psirt/FG-IR-22-275","refsource":"MISC","name":"https://fortiguard.com/psirt/FG-IR-22-275"}]},"solution":[{"lang":"en","value":"Please upgrade to FortiAuthenticator version 6.5.0 or above Please upgrade to FortiAuthenticator version 6.4.7 or above Please upgrade to FortiAuthenticator version 6.4.5 or above Please upgrade to FortiAuthenticator version 6.3.4 or above "}],"impact":{"cvss":[{"version":"3.1","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.2,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:U/RC:C"}]}},"nvd":{"publishedDate":"2023-04-11 17:15:00","lastModifiedDate":"2023-11-07 03:49:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.0","versionEndExcluding":"6.3.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.0","versionEndExcluding":"6.4.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}