PSIRT Advisories

FortiOS - Host header injection vulnerability


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context.

This happens when the FortiGate has web filtering and category override enabled/configured.

Affected Products

FortiOS version 6.4.1 and below.


Please upgrade to FortiOS version 6.4.2 or above.


Fortinet is pleased to thank Justin McCarthy for reporting this issue under responsible disclosure.