DHCP Hostname HTML Injection Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-16-003 Final 1 1 2016-03-16T00:00:00 Current version 2016-03-16T00:00:00 2016-03-16T00:00:00 It is possible to inject malicious script through the DHCP HOSTNAME option. The malicious script code is injected into the device's "DHCP Monitor" page (System->Monitor->DHCP Monitor) on the web-based interface which is accessible by the webui administrators. Cross Site Scripting FortiOS Upgrade to one the following FortiOS versions: 5.0 branch: 5.0.13 or above 5.2 branch: 5.2.4 or above 5.4 branch: 5.4.0 or above 4.3 and lower branches are not affected by this vulnerability. https://fortiguard.fortinet.com/psirt/FG-IR-16-003 DHCP Hostname HTML Injection https://cwe.mitre.org/data/definitions/80.html https://cwe.mitre.org/data/definitions/80.html Fortinet is pleased to thanks to Ziv Kamir from GamaSec for reporting a FortiOS vulnerability under responsible disclosure CVE-2015-3626 https://fortiguard.fortinet.com/psirt/FG-IR-16-003 DHCP Hostname HTML Injection Reference> https://cwe.mitre.org/data/definitions/80.html https://cwe.mitre.org/data/definitions/80.html