PSIRT Advisories

FortiOS stored XSS vulnerability in the policy global-label parameter


FortiOS is subject to a Cross-Site Scripting vulnerability,  due to an improperly sanitized parameter in a hidden CLI configuration setting named 'global-label' . This can however only be exploited by an administrator with write privileges.

Affected Products

* FortiOS 5.2 branch from 5.2.0 to 5.2.10
* FortiOS 5.0 branch


* FortiOS 5.0 and 5.2 users must upgrade to FortiOS 5.2.11 or 5.4.0 and above
* FortiOS 4.3 branch is not vulnerable


Fortinet is pleased to thank Mohamed Keffous from CAP GEMINI/SOGETI for reporting this vulnerability under responsible disclosure.