CVE-2019-16151 MEDIUM

CVE-2019-16151

Vendor Fortinet
Product FortiOS
Weakness CWE-79 · XSS
Published March 21, 2025
Last update March 21, 2025
View on NVD All CVEs

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:X/RC:X

What the vulnerability does

01Description

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context. This happens when the FortiGate has web filtering and category override enabled/configured.

Key dates

02Disclosure timeline

March 21, 2025 CVE published
March 21, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-6353 code-projects Responsive Blog search.php cross site scripting CVE-2023-27421 WordPress Everest News Theme <= 1.1.0 is vulnerable to Cross Site Scripting (XSS) CVE-2023-5362 Carousel, Recent Post Slider and Banner Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2021-24276 Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS) CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow