FortiWeb Cross-Site Scripting Vulnerabilities

description-logo Description

FortiWeb 5.0, 5.1 and 5.2.0 are vulnerable to multiple reflective cross-site scripting issues. Several parameters in the web management interface URLs /user/ldap_user/check_dlg and /user/radius_user/check_dlg lack sufficient input filtering.

Impact Detail

A remote unauthenticated attacker may be able to execute arbitrary JavaScript in the context of an administrative browser session under certain scenarios.

Affected Products

FortiWeb 5.0.x, 5.1.x and 5.2.0.

Solutions

Upgrade to FortiWeb 5.2.1 or higher.

Acknowledgement

William Costa