XSS vulnerability in FortiNAC admin webUI search field

Summary

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in FortiNAC admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.

Affected Products

FortiNAC 8.3.0 to 8.3.6 and 8.5.0

Solutions

Upgrade to FortiNAC 8.3.7 or 8.5.1

Acknowledgement

Fortinet is pleased to thank Johnatan Camargo from PBI | Dynamic IT Security for reporting this vulnerability under responsible disclosure.