PSIRT Advisory

FortiWeb Stored Cross-Site Scripting Vulnerability

Description

Authenticated administrative users can store injected Javascript content into a specific field on the web management interface. This Javascript may be evaluated in the context of another administrative user browsing to the affected web page.

Impact

Privilege Elevation

Affected Products

FortiWeb 5.0.3 and lower.

Solutions

Upgrade to FortiWeb 5.0.4 or higher.

Acknowledgement

Enrique E. Nissim from the ZConsulting team (http://www.zconsulting.com.ar)