XSS Vulnerability in Report Templates Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-228 Final 1 1 2022-11-01T00:00:00 Current version 2022-11-01T00:00:00 2022-11-01T00:00:00 An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiManager and FortiAnalyzer report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. None Execute unauthorized code or commands FortiAnalyzer version 7.0.0 through 7.0.4FortiAnalyzer version 6.4.0 through 6.4.8FortiAnalyzer 6.2 all versionsFortiAnalyzer 6.0 all versionsFortiManager version 7.0.0 through 7.0.4FortiManager version 6.4.0 through 6.4.8FortiManager 6.2 all versionsFortiManager 6.0 all versions Upgrade to FortiAnalyzer version 7.2.0 or aboveUpgrade to FortiAnalyzer version 7.0.5 or aboveUpgrade to FortiAnalyzer version 6.4.9 or aboveUpgrade to FortiManager version 7.2.0 or aboveUpgrade to FortiManager version 7.0.5 or aboveUpgrade to FortiManager version 6.4.9 or above Fortinet is pleased to thank Mark de Groot and Ron Oostveen from the KPN REDteam for bringing this issue to our attention under responsible disclosure. CVE-2022-39950 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-228 XSS Vulnerability in Report Templates Reference>