FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.

Affected Products

FortiSIEM version 5.2.5 and below.

Solutions

Please upgrade to FortiSIEM version 5.2.6 and above.

Acknowledgement

Fortinet is very pleased to thank Luca Sangalli (luca91.sanga@gmail.com ; https://it.linkedin.com/in/luca-sangalli-0a6462105 ) for bringing this issue to our attention under responsible disclosure and for helping us make our products more secure.