CVE-2023-36637 LOW

CVE-2023-36637

Vendor Fortinet

Product FortiMail

Weakness CWE-79 · XSS

Published October 10, 2023

Last update September 18, 2024

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:F/RL:X/RC:C

What the vulnerability does

01Description

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

Key dates

02Disclosure timeline

October 10, 2023 CVE published

September 18, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-36637 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-48253 WordPress Free Shipping Bar: Amount Left for Free Shipping for WooCommerce plugin <= 2.4.6 - Cross Site Scripting (XSS) Vulnerability CVE-2026-40137 Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) CVE-2024-21628 XSS can be stored in DB from "add a message form" in order detail page (FO) CVE-2024-2145 SourceCodester Online Mobile Management Store update-tracker.php cross site scripting CVE-2025-5661 code-projects Traffic Offense Reporting System Setting save-settings.php cross site scripting

Identifiers

CVE CVE-2023-36637

CWE CWE-79

CVSS 3.4 / LOW

Affected versions

Vendor Fortinet

Product FortiMail

Affected ≥ 7.2.0 and ≤ 7.2.2

Vendor Fortinet

Product FortiMail

Affected ≥ 7.0.1 and ≤ 7.0.5