FortiWebManager - Injection vulnerabilities


An improper neutralization of input vulnerability [CWE-79] in FortiWebManager may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

Affected Products

FortiWebManager version 6.2.3 and below.
FortiWebManager version 6.0.x.


Please upgrade to FortiWebManager version 6.2.4 or above.



Fortinet is pleased to thank Danilo Costa from Sigma Telecom for reporting this issue under responsible disclosure.