PSIRT Advisory

XSS vulnerability in FortiManager and FortiAnalyzer

Summary

An improper neutralization of script-related HTML tags in a web page in FortiManager and FortiAnalyzer may allow an attacker to perform a cross site scripting (XSS) attack via the Identify Provider name field.

Impact

Execute unauthorized code or commands

Affected Products

FortiManager version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6
FortiAnalyzer version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6

Solutions

Please upgrade to  FortiManager 6.4.0 or above
Please upgrade to  FortiAnalyzer 6.4.0 or above

Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure.