PSIRT Advisories

FortiDeceptor - Reflected XSS vulnerability on Lure Resources page

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.

Affected Products

FortiDeceptor version 4.2.0
FortiDeceptor version 4.1.0 through 4.1.1
FortiDeceptor version 4.0.2

Solutions

Please upgrade to FortiDeceptor version 4.3.0 or above
Please upgrade to FortiDeceptor version 4.2.1 or above
Please upgrade to FortiDeceptor version 4.1.2 or above
Please upgrade to FortiDeceptor version 4.0.3 or above