Fortiguard

XSS vulnerability in FortiManager and FortiAnalyzer

Summary

An improper neutralization of script-related HTML tags in a web page in FortiManager and FortiAnalyzer may allow an attacker to perform a cross site scripting (XSS) attack via the Identify Provider name field.

Affected Products

FortiManager version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6
FortiAnalyzer version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6

Solutions

Please upgrade to FortiManager 6.4.0 or above
Please upgrade to FortiAnalyzer 6.4.0 or above

Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-20-005
Date	Sep 18, 2020
Severity	Medium
Impact	Execute unauthorized code or commands
CVE ID	CVE-2020-12811
Affected Products	FortiManager : 6.2.5, 6.2.3, 6.2.2, 6.2.1, 6.2.0 FortiAnalyzer : 6.2.9, 6.2.8, 6.2.7, 6.2.10
CVRF	Download

Network

Files and Endpoint

Application

Additional SOC Services

PSIRT Advisories

XSS vulnerability in FortiManager and FortiAnalyzer

Summary

Affected Products

Solutions

Acknowledgement

News / Research

Network

Files and Endpoint

Application

Additional SOC Services

FortiGate

FortiDeceptor

FortiClient

FortiMail

FortiEDR

FortiADC

FortiAnalyzer

FortiCWP

FortiWeb

FortiNDR

FortiSandBox

FortiTester

Threat Lookup

PSIRT

Resources

PSIRT Advisories

XSS vulnerability in FortiManager and FortiAnalyzer

Summary

Affected Products

Solutions

Acknowledgement