PSIRT Advisories

Multiple XSS vulnerabilities in FortiManager GUI

Description

The Graphical User Interface (GUI) of FortiManager v5.2.2 is vulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities.
2 potential XSS vectors were identified:
* XSS vulnerability in SOMVpnSSLPortalDialog.
* XSS vulnerability in FGDMngUpdHistory.
The Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to one reflected XSS vulnerability and one stored XSS vulnerability.
2 potential XSS vectors were identified:
* XSS vulnerability in sharedjobmanager.
* XSS vulnerability in SOMServiceObjDialog.

Impact Detail

A remote attacker may be able to execute arbitrary code in the security context of an authenticated user's browser session.

Affected Products

XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier.

Solutions

Update to FortiManager v5.2.4. No workarounds are currently available.

Acknowledgement

Fortinet PSIRT wishes to thank John Page for his commitment to Responsible Disclosure by responsibly disclosing these issues to Fortinet.