PSIRT Advisories

FortiMail - Cross-site scripting (XSS) in Webmail

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

Affected Products

FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.8
FortiMail version 6.0.0 through 6.0.12

Solutions

Please upgrade to FortiMail version 7.2.0 or above
Please upgrade to FortiMail version 7.0.4 or above

Acknowledgement

Internally discovered by Giuseppe Cocomazzi.