FortiNAC - Multiple XML external entity (XXE) injection

Summary

An improper restriction of XML external entity reference vulnerability [CWE-611] in the parser of XML requests of FortiNAC may allow an unauthenticated attacker to trigger a denial of service or read arbitrary files from the underlying file system via specifically crafted XML documents.

Affected Products

FortiNAC version 9.4.0 through 9.4.1
FortiNAC all versions 9.2, 9.1, 8.8, 8.7, 8.6, 8.5, 8.3

Solutions

Please upgrade to FortiNAC version 9.4.2 or above
Please upgrade to FortiNAC version 7.2.0 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.