HTML injection in SAML and Security Fabric components


An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiOS may allow a remote authenticated attacker to inject script related HTML tags via the SAML and Security Fabric components.

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
Follow the recommended upgrade path using our tool at:


Internally discovered and reported by William Costa from Fortinet's CSE team


2023-10-10: Initial publication