PSIRT Advisories

FortiAnalyzer - XSS vulnerability

Summary

An improper neutralization of input during web page generation [CWE-79] in FortiAnalyzer may allow an attacker to perform a stored Cross Site Scripting (XSS) attack via specifically crafted requests to the web GUI.

Affected Products

FortiAnalyzer versions 6.0.6 and below.
FortiAnalyzer version 6.4.4.

Solutions

Please upgrade to FortiAnalyzer version 6.0.7 or above.
Please upgrade to FortiAnalyzer version 6.2.0 or above.
Please upgrade to FortiAnalyzer version 6.4.0 to 6.4.3, 6.4.5 or above.

Acknowledgement

Fortinet is pleased to thank independent researchers Nicolas Fiset and Sérgio Lourenço Ribeiro for reporting this vulnerability under responsible disclosure.