An improper neutralization of input during web page generation [CWE-79] vulnerability in FortiOS may allow a remote, unauthenticated attacker to launch a cross site scripting (XSS) attack via the "redir" parameter of the URL seen when the "Sign in with FortiCloud" button is clicked.
|7.2.0 through 7.2.3
|Upgrade to 7.2.4 or above
|7.0.0 through 7.0.7
|Upgrade to 7.0.8 or above
Disable "Sign in with FortiCloud" feature using the below command
config system global
set admin-forticloud-sso-login disable
and use other authentication methods to login to FortiGate.