HTML injection in WebUI
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-005
Final
1
1
2020-09-18T00:00:00
Current version
2020-09-18T00:00:00
2020-09-18T00:00:00
An improper neutralization of script-related HTML tags in a web page in FortiManager and FortiAnalyzer may allow an attacker to perform a cross site scripting (XSS) attack via the Identify Provider name field.
Execute unauthorized code or commands
FortiManager version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6 FortiAnalyzer version 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5 and 6.2.6
Please upgrade to FortiManager 6.4.0 or abovePlease upgrade to FortiAnalyzer 6.4.0 or above
Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure.
HTML injection in WebUI
CVE-2020-12811
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-20-005
HTML injection in WebUI
Reference>