PSIRTXSS in /500/rescuemode and /500/sysupgrade pages
Summary
An improper neutralization of input during wep page generation [CWE-79] vulnerability in FortiDeceptor may allow an attacker to perform a reflected cross-site scripting attack in the recovery endpoints
| Version | Affected | Solution |
|---|---|---|
| FortiDeceptor 6.0 | Not affected | Not Applicable |
| FortiDeceptor 5.3 | 5.3.0 | Upgrade to 5.3.1 or above |
| FortiDeceptor 5.2 | 5.2.0 | Upgrade to 5.2.1 or above |
| FortiDeceptor 5.1 | 5.1 all versions | Migrate to a fixed release |
| FortiDeceptor 5.0 | 5.0 all versions | Migrate to a fixed release |
| FortiDeceptor 4.3 | 4.3 all versions | Migrate to a fixed release |
| FortiDeceptor 4.2 | 4.2 all versions | Migrate to a fixed release |
| FortiDeceptor 4.1 | 4.1 all versions | Migrate to a fixed release |
| FortiDeceptor 4.0 | 4.0 all versions | Migrate to a fixed release |
| FortiDeceptor 3.3 | 3.3 all versions | Migrate to a fixed release |
| FortiDeceptor 3.2 | 3.2 all versions | Migrate to a fixed release |
| FortiDeceptor 3.1 | 3.1 all versions | Migrate to a fixed release |
| FortiDeceptor 3.0 | 3.0 all versions | Migrate to a fixed release |