Multiple XML external entity (XXE) injection


An improper restriction of XML external entity reference vulnerability [CWE-611] in the parser of XML requests of FortiNAC may allow an unauthenticated attacker to trigger a denial of service or read arbitrary files from the underlying file system via specifically crafted XML documents.

Affected Products

FortiNAC version 9.4.0 through 9.4.1
FortiNAC all versions 9.2, 9.1, 8.8, 8.7, 8.6, 8.5, 8.3


Please upgrade to FortiNAC version 9.4.2 or above
Please upgrade to FortiNAC version 7.2.0 or above


Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.