FortiMail - HTML injection in Calendar
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail may allow an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.
Version | Affected | Solution |
---|---|---|
FortiMail 7.4 | Not affected | Not Applicable |
FortiMail 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
FortiMail 7.0 | 7.0.1 through 7.0.5 | Upgrade to 7.0.6 or above |
Acknowledgement
Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby InfoSec team.Timeline
2023-10-10: Initial publication