FortiMail - Cross-site scripting (XSS) in Webmail

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

Version Affected Solution
FortiMail 7.2 Not affected Not Applicable
FortiMail 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above
FortiMail 6.4 6.4 all versions Migrate to a fixed release
FortiMail 6.2 6.2 all versions Migrate to a fixed release
FortiMail 6.0 6.0 all versions Migrate to a fixed release

Acknowledgement

Internally discovered by Giuseppe Cocomazzi.