PSIRT Advisories
FortiADC - WAF XSS Injection Bypass
Summary
An improper handling of malformed request vulnerability [CWE-228] in FortiADC may allow a remote attacker without privileges to bypass some Web Application Firewall (WAF) protection such as the SQL Injection and XSS filters via a malformed HTTP request.
Affected Products
FortiADC version 7.0.0 through 7.0.2FortiADC version 6.2.0 through 6.2.3
FortiADC version 6.1.0 through 6.1.6
FortiADC version 6.0.0 through 6.0.4
FortiADC version 5.4.0 through 5.4.5
FortiADC version 5.3.0 through 5.3.7
FortiADC version 5.2.0 through 5.2.8
FortiADC version 5.1.0 through 5.1.7
FortiADC version 5.0.0 through 5.0.4
Solutions
Please upgrade to FortiADC version 7.1.0 or abovePlease upgrade to FortiADC version 7.0.3 or above
Please upgrade to FortiADC version 6.2.4 or above