FortiMail - HTML injection in Calendar

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail may allow an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.

Version Affected Solution
FortiMail 7.4 Not affected Not Applicable
FortiMail 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiMail 7.0 7.0.1 through 7.0.5 Upgrade to 7.0.6 or above

Acknowledgement

Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby InfoSec team.

Timeline

2023-10-10: Initial publication