FortiMail - HTML injection in Calendar


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail may allow an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

Version Affected Solution
FortiMail 7.4 Not affected Not Applicable
FortiMail 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiMail 7.0 7.0.1 through 7.0.5 Upgrade to 7.0.6 or above


Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby InfoSec team.


2023-09-29: Initial publication