PSIRT Advisories

FortiMail reflected XSS vulnerability under customized webmail login page


There exists a reflected cross-site scripting (XSS) vulnerability on FortiMail customized pre-authentication webmail login page, allowing successful attackers to run arbitrary javascript code in the security context of their victim's browser.

Affected Products

FortiMail 5.2.0 -> 5.2.9

FortiMail 5.3.0 -> 5.3.9

FortiMail 5.1 and below.


FortiMail 5.2 branch, upgrade to 5.2.10 or above.

FortiMail 5.3 branch, upgrade to 5.3.10 or above

FortiMail 5.4 branch, not impacted.

FortiMail 5.1 and below, use the system default login portal instead of a customized webmail login portal.


Fortinet is pleased to thank Silas Aitchison for reporting this vulnerability under responsible disclosure.