FortiAnalyzer and FortiManager stored XSS vulnerability in report filters
Summary
A cross-site-scripting vulnerablity in FortiAnalyzer/FortiManager in advanced settings page could allow an administrator to inject scripts in the add filter field.
Affected Products
FortiManager: 5.0.0 - 5.0.11, 5.2.0 - 5.2.2
FortiAnalyzer: 5.0.0 - 5.0.12, 5.2.0 - 5.2.2
Solutions
Upgrade to:
FortiManager
5.0.12 and above
5.2.3 and above
5.4.0 and above
ÂÂ
FortiAnalyzer
5.0.13 and above
5.2.3 and above
5.4.0 and above
ÂÂ
FortiManager hardware models without hard disk are not affected.
This feature is disabled by default in all FortiManager versions.
Acknowledgement
Fortinet is pleased to thank Ismail Saygili for reporting a FortiManager/FortiAnalyzer vulnerability under responsible disclosure.