Reflected cross-site scripting in error controllers


Multiple improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] in FortiWeb may allow an unauthenticated user to inject malicious javascript code into the response webpage via crafted requests to device's error handlers.

Affected Products

FortiWeb version 6.0.0 through 6.0.7
FortiWeb version 6.1.0 through 6.1.2
FortiWeb version 6.2.0 through 6.2.7
FortiWeb version 6.3.0 through 6.3.15
FortiWeb version 6.4.0 through 6.4.1


Upgrade to FortiWeb version 7.0.0 or above.
Upgrade to FortiWeb version 6.4.2 or above.
Upgrade to FortiWeb version 6.3.16 or above.


Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.