FortiOS - HTML injection in SAML and Security Fabric components

Summary

An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiOS may allow a remote authenticated attacker to inject script related HTML tags via the SAML and Security Fabric components.

Version Affected Solution
FortiOS 7.4 Not affected Upgrade to 7.4.0 or above
FortiOS 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by William Costa from Fortinet's CSE team

Timeline

2023-10-10: Initial publication