FortiPortal - XSS observed on policy column settings


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter.

Affected Products

FortiPortal version 6.0.0 through 6.0.11
FortiPortal 5.3 all versions
FortiPortal 5.2 all versions
FortiPortal 5.1 all versions
FortiPortal 5.0 all versions


Please upgrade to FortiPortal version 6.0.12 or above


Fortinet is pleased to thank Dmitry Bulkot from DEFEND ltd for reporting this vulnerability under responsible disclosure.