Cross-Site Scripting (XSS) vulnerabilities keep popping up—even in big name security gear. If you use FortiManager or FortiAnalyzer, you should know about CVE-2022-39950, a noteworthy XSS flaw that makes it possible for attackers to run JavaScript in your browser using nothing but a carefully crafted comment. In this deep-dive, we’ll break down what went wrong, see some vulnerable code, and show how an attacker could exploit this bug for serious impact.

What Is CVE-2022-39950? (Explained Simply)

CVE-2022-39950 is an improper neutralization of input during web page generation (CWE-79)—a classic stored XSS. The problem affects the following Fortinet products and versions:

*7.. – 7..4*

It happens when someone posts a specially crafted CKEditor “protected comment” as input in a report template. The system fails to sanitize this comment properly on output, so malicious JavaScript sneaks into the generated report display.

> Low privilege users can trigger this—no need for powerful admin rights.

References:  
- Fortinet PSIRT Advisory FG-IR-22-309
- NVD writeup for CVE-2022-39950
- CKEditor protected comments vulnerability CVE-202-9281

The Role of CKEditor and Comments

FortiManager and FortiAnalyzer both use CKEditor, a rich-text editor, for creating and editing report templates. CKEditor lets you insert special “protected” comments in the template’s underlying HTML, like this:

<!--{cke_protected}%3Cscript%3Ealert('XSS')%3C/script%3E-->

This is supposed to keep content “safe” by hiding it from direct HTML output. But improper handling can reveal the danger.

Vulnerable Code Pattern

When a user adds content using CKEditor, the editor encodes certain elements that go into the template content (i.e., the database). When generating the reporting page, Fortinet’s apps decode and output these elements inside the page, sometimes without escaping or sanitizing them.

It often looks roughly like this (pseudo-code)

// Load template content from database
$content = db_get_template_content($id);

// Output into HTML
echo "<div class='report-content'>$content</div>";

If $content includes a dangerous <script> tag hidden as a CKEditor protected comment, and the processing code reveals this back into the DOM, JavaScript can run in the browser.

Crafting the Exploit: Turn a Simple Comment Into XSS

Let’s walk through a basic exploitation step-by-step.

An attacker creates a CKEditor protected comment that decodes to a JavaScript tag, just like

<!--{cke_protected}%3Cscript%3Ealert('XSS from Comment!')%3C/script%3E-->

URL-decoded:

<script>alert('XSS from Comment!')</script>

Edits a report template

- Switches to HTML/source mode in CKEditor

3. Triggering the XSS

When any user (admin or otherwise) opens the generated/generate report page for this template, the server-side code:

*Injects <script> directly into the HTML page*

Result: The JavaScript runs in the viewer’s browser.

Suppose the backend emits the raw comment content

<div class="report-content">
  <!--{cke_protected}%3Cscript%3Ealert('XSS')%3C/script%3E-->
</div>

And the frontend processes or displays the protected payload unsafely. You get

<script>alert('XSS!')</script>


Triggering a popup for the user—proof the XSS worked!

Trigger malicious actions on behalf of users

And because reporting templates are shared and used often, this is a powerful and dangerous attack route.

How Was This Similar to CVE-202-9281?

CKEditor’s “protected source” system has made mistakes before—CVE-202-9281 describes a related bug. Attackers encoded malicious content into these protected blocks, which were then decoded unsafely by backend logic.

Mitigation and Fix

Fortinet fixed this in later versions—see their advisory.

Final Thoughts

CVE-2022-39950 might sound “just like another XSS,” but for those managing security appliances, it’s a stark lesson:

- Fortinet FortiGuard Security Advisory
- Official NIST/NVD entry for CVE-2022-39950
- CKEditor CVE-202-9281
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


If your organization still runs a vulnerable FortiManager or FortiAnalyzer, patch ASAP—or risk hackers exploiting your security software against you!


*[This post is an exclusive, educational deep-dive for the IT and security community. Share to help spread real-world awareness of web security weaknesses—even in defense tools.]*

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/03/2022 17:50:00 UTC