PSIRT Advisories

FortiOS & FortiProxy - Stored XSS in guest management page

Summary

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS and FortiProxy GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

Major Version Affected Products Solutions
7.2 FortiProxy version 7.2.0 through 7.2.4 Please upgrade to FortiProxy version 7.2.5 or above
7.0 FortiProxy version 7.0.0 through 7.0.10 Please upgrade to FortiProxy version 7.0.11 or above
7.2 FortiOS version 7.2.0 through 7.2.4 Please upgrade to FortiOS version 7.2.5 or above
7.0 FortiOS version 7.0.0 through 7.0.11 Please upgrade to FortiOS version 7.0.12 or above
6.4 FortiOS version 6.4.0 through 6.4.12 Please upgrade to FortiOS version 6.4.13 or above
6.2 FortiOS version 6.2.0 through 6.2.14 Please upgrade to FortiOS version 6.2.15 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by William Costa from Fortinet's CSE team

Timeline

2023-09-01: Initial publication