PSIRT

Multiple reflected XSS

Summary

Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer user interface may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.

Affected Products

FortiAnalyzer version 7.0.0
FortiAnalyzer version 6.4.0 through 6.4.5
FortiAnalyzer version 6.2.0 through 6.2.7
FortiAnalyzer 6.0 all versions
FortiAnalyzer 5.6 all versions are not affected
FortiManager version 7.0.0
FortiManager version 6.4.0 through 6.4.5
FortiManager version 6.2.0 through 6.2.7
FortiManager 6.0 all versions
FortiManager 5.6 all versions are not affected

Solutions

Please upgrade to FortiManager version 6.2.8.
Please upgrade to FortiManager version 6.4.6.
Please upgrade to FortiManager version 7.0.1.
Please upgrade to FortiAnalyzer version 6.2.8.
Please upgrade to FortiAnalyzer version 6.4.6.
Please upgrade to FortiAnalyzer version 7.0.1.

Acknowledgement

Fortinet is pleased to thank Clément Amic, Pierre Milioni and Adrien Peter from Synacktiv for reporting this vulnerability under responsible disclosure.

Timeline

2021-08-03: Initial publication

IR Number	FG-IR-21-054
Published Date	Aug 3, 2021
Component	GUI
Severity	Medium
Discovered	External
Attack Type	Authenticated
Known Exploited	No
CVSSv3 Score	4.4
Impact	Execute unauthorized code or commands
CVE ID
Download	CVRF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Multiple reflected XSS

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Multiple reflected XSS

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Threat Intelligence
Center