<?xml version="1.0" encoding="UTF-8"?>
<cvrf:cvrfdoc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cvrf-common="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/common" xmlns:cvrf="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
    <cvrf:DocumentTitle>FortiAnalyzer and FortiManager stored XSS vulnerability in report filters</cvrf:DocumentTitle>
    <cvrf:DocumentType>Fortinet PSIRT Advisories</cvrf:DocumentType>
    <cvrf:DocumentPublisher Type="Vendor">
        <cvrf:ContactDetails>
            Fortinet PSIRT Contact:
            Website: https://fortiguard.fortinet.com/faq/psirt-contact
        </cvrf:ContactDetails>
     </cvrf:DocumentPublisher>
    <cvrf:DocumentTracking>
        <cvrf:Identification>
            <cvrf:ID>FG-IR-16-051</cvrf:ID>
        </cvrf:Identification>
        <cvrf:Status>Final</cvrf:Status>
        <cvrf:Version>1</cvrf:Version>
        <cvrf:RevisionHistory>
            <cvrf:Revision>
                <cvrf:Number>1</cvrf:Number>
                <cvrf:Date>2016-10-05T00:00:00</cvrf:Date>
                <cvrf:Description>Current version</cvrf:Description>
        </cvrf:Revision>
       </cvrf:RevisionHistory>
        <cvrf:InitialReleaseDate>2016-10-05T00:00:00</cvrf:InitialReleaseDate>
        <cvrf:CurrentReleaseDate>2016-10-05T00:00:00</cvrf:CurrentReleaseDate>
    </cvrf:DocumentTracking>
    <cvrf:DocumentNotes>
        <cvrf:Note Title="Summary" Type="Summary" Ordinal="1">
            A cross-site-scripting vulnerablity in FortiAnalyzer/FortiManager in advanced settings page could allow an administrator to inject scripts in the add filter field.
        </cvrf:Note>
        <cvrf:Note Title="Impact" Type="General" Ordinal="2">
            Access to another privileged administrator user&#39;s data
        </cvrf:Note>
        <cvrf:Note Title="Affected Products" Type="General" Ordinal="3">
            FortiManager: 5.0.0 - 5.0.11, 5.2.0 - 5.2.2 FortiAnalyzer: 5.0.0 - 5.0.12, 5.2.0 - 5.2.2
        </cvrf:Note>
        <cvrf:Note Title="Solutions" Type="General" Ordinal="4">
            Upgrade to: FortiManager 5.0.12 and above 5.2.3 and above 5.4.0 and above Ã‚Â FortiAnalyzer 5.0.13 and above 5.2.3 and above 5.4.0 and above Ã‚Â FortiManager hardware models without hard disk are not affected. This feature is disabled by default in all FortiManager versions.
        </cvrf:Note>
    </cvrf:DocumentNotes>
    <cvrf:Acknowledgments>
        <cvrf:Acknowledgment>
            <cvrf:Description>Fortinet is pleased to thank Ismail Saygili for reporting a FortiManager/FortiAnalyzer vulnerability under responsible disclosure.</cvrf:Description>
        </cvrf:Acknowledgment>
    </cvrf:Acknowledgments>
    <Vulnerability Ordinal="1">
        <Title>FortiAnalyzer and FortiManager stored XSS vulnerability in report filters</Title>
        <cvrf:CVE>CVE-2015-7363</cvrf:CVE>
        <References Type="Self">
            <Reference>
                <URL>https://fortiguard.fortinet.com/psirt/FG-IR-16-051</URL>
                <Description>FortiAnalyzer and FortiManager stored XSS vulnerability in report filters</Description>
            </Reference>Reference>
        </References>
    </Vulnerability>
</cvrf:cvrfdoc>