PSIRT Advisory

HTML Injection Vulnerability observed in FortiAnalyzer and FortiTester

Summary

An improper neutralization of input vulnerability in FortiAnalyzer and FortiTester may allow a remote authenticated attacker to inject script related HTML tags via the Storage Connectors Name Parameter and IPv4/IPv6 address fields respectively.

Impact

Unauthorized code execution

Affected Products

FortiAnalyzer versions 6.2.5 , 6.4.1 and below.

FortiTester versions 3.8.0; 3.7.0 and below.

Solutions

Please upgrade to FortiAnalyzer version 6.2.6, 6.4.2 or above.

Please upgrade to FortiTester version 3.9.0 or above.

Acknowledgement

Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher Danilo Costa for reporting this vulnerability under responsible disclosure.