Cross Site Scripting vulnerabilities in administrative interface
Summary
Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerabilities [CWE-79] in FortiOS & FortiProxy administrative interface may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP or HTTPS GET requests.
Affected Products
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
Solutions
Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.10 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.13 or above
Acknowledgement
Internally discovered and reported by Théo Leleu of Fortinet Product Security team.Timeline
2023-04-11: Initial publication