PSIRTOpen Redirect and XSS in Web Filter warning page
Summary
An Improper Neutralization of Input During Web Page Generation and URL Redirection to Untrusted Site vulnerabilities [CWE-79, CWE-601] in FortiOS, FortiProxy and FortiSASE may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) or an open redirect attack via crafted HTTP requests.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiProxy 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiProxy 7.4 | 7.4 all versions | Migrate to a fixed release |
| FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiSASE 25.2 | 25.2.a | Fortinet remediated this issue in FortiSASE version 25.3.b and hence customers do not need to perform any action. |