Multiple products cross-site scripting vulnerabilities

Summary

The Web User Interface of FortiGate, FortiManager, FortiAnalyzer, FortiMail and FortiADC D models are vulnerable to reflected cross-site scripting vulnerabilities.
Starting from FortiOS 5.2.0, three XSS are present in the sslvpn login page (CVE-2015-1880), user group (CVE-2014-8616) and the vpn template menus (CVE-2014-8616).
Starting from FortiManager 5.0.3, there is a XSS located in the advanced dataset reports page when the FortiAnalyzer feature is activated (CVE-2015-3620).
Starting from FortiAnalyzer 5.0.0 to 5.0.10 and 5.2.0 and 5.2.1, there is a XSS located in the advanced dataset reports page (CVE-2015-3620).
All fortimail versions contains one XSS in web action quarantine release feature (CVE-2014-8617).
Between versions 5.1.2 and 5.3.4 included, FortiWeb contains two XSS in the autolearn configuration page (CVE-2014-8619).
Prior to version 4.2, FortiADC D models contains one XSS in the theme login page (CVE-2014-8618).

Description

The Web User Interface of FortiGate, FortiManager, FortiAnalyzer, FortiMail and FortiADC D models are vulnerable to reflected cross-site scripting vulnerabilities.
Starting from FortiOS 5.2.0, three XSS are present in the sslvpn login page (CVE-2015-1880), user group (CVE-2014-8616) and the vpn template menus (CVE-2014-8616).
Starting from FortiManager 5.0.3, there is a XSS located in the advanced dataset reports page when the FortiAnalyzer feature is activated (CVE-2015-3620).
Starting from FortiAnalyzer 5.0.0 to 5.0.10 and 5.2.0 and 5.2.1, there is a XSS located in the advanced dataset reports page (CVE-2015-3620).
All fortimail versions contains one XSS in web action quarantine release feature (CVE-2014-8617).
Between versions 5.1.2 and 5.3.4 included, FortiWeb contains two XSS in the autolearn configuration page (CVE-2014-8619).
Prior to version 4.2, FortiADC D models contains one XSS in the theme login page (CVE-2014-8618).

Impact Detail

A remote attacker may be able to execute arbitrary scripts in the context of an authenticated user's browser session.

Affected Products

FortiGate, FortiManager, FortiAnalyzer, FortiMail, FortiWeb, FortiADC D models only.

Solutions

Upgrade to FortiOS 5.2.3 or above
FortiManager 5.0.3 through v5.0.10: A fix will be included in upcoming version v5.0.11. Alternatively, one may upgrade to v5.2.2, which is already available.
FortiManager 5.2 through 5.2.1: Upgrade FortiManager to 5.2.2
FortiAnalyzer 5.0.0 through 5.0.10: A fix will be included in upcoming version v5.0.11. Alternatively, one may upgrade to v5.2.2, which is already available.
FortiAnalyzer 5.2 through 5.2.1: Upgrade FortiAnalyzer to 5.2.2
Upgrade to FortiMail 4.3.9 / 5.0.8 / 5.1.5 / 5.2.3 or above
Upgrade to FortiWeb 5.3.5 or above
Upgrade to FortiADC 4.2 or above

Acknowledgement

Jared Haight
William Costa
Benjamin Kunz Mejri (Vulnerability Laboratory, Evolution Security GmbH)