| IR Number | FG-IR-19-197 |
| Date | Jan 27, 2020 |
| Severity |
Medium |
| Impact | Unauthorized code execution |
| CVE ID | CVE-2019-17651 |
| Affected Products |
FortiSIEM
:
5.2.5
|
| CVRF | Download |
Refine Search
PSIRT Advisories
FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.
Affected Products
FortiSIEM version 5.2.5 and below.
Solutions
Please upgrade to FortiSIEM version 5.2.6 and above.
Acknowledgement
Fortinet is very pleased to thank Luca Sangalli (luca91.sanga@gmail.com ; https://it.linkedin.com/in/luca-sangalli-0a6462105 ) for bringing this issue to our attention under responsible disclosure and for helping us make our products more secure.