PSIRT Advisories

FortiWebManager - Injection vulnerabilities

Summary

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

Affected Products

FortiWebManager version 6.2.3 and below.
FortiWebManager version 6.0.x.

Solutions

Please upgrade to FortiWebManager version 6.2.4 or above.

 

Acknowledgement

Fortinet is pleased to thank Danilo Costa from Sigma Telecom for reporting this issue under responsible disclosure.