FAC OWA injection vulnerability on login page Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-104 Final 1 1 2020-01-06T00:00:00 Current version 2020-01-06T00:00:00 2020-01-06T00:00:00 An improper neutralization of input during web page generation in FortiAuthenticator Agent for Outlook Web Access may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page. Execute unauthorized code or commands FortiAuthenticator Agent for Outlook Web Access v1.5 and below Upgrade the FortiAuthenticator Agent for Outlook Web Access on your Microsoft Exchange servers to v1.6. The installer is available for download from within the administrative web interface of FortiAuthenticator 6.0.1 or greater; however it is not necessary to upgrade your FortiAuthenticator to resolve this issue.Customers who do not want to upgrade their FortiAuthenticator appliance or who do not have a spare lab unit are advised to contact their Fortinet support engineer in order to obtain the FortiAuthenticator Agent for Outlook Web Access v1.6 installer.To contact Fortinet support team please follow this link:https://www.fortinet.com/support/contact.html Fortinet is pleased to thank Konstantinos Kanavidis from DEVOQ Technology for reporting this vulnerability under responsible disclosure. CVE-2019-16154 6.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-104 FAC OWA injection vulnerability on login page Reference>