PSIRT Advisory

DHCP Hostname HTML Injection


It is possible to inject malicious script through the DHCP HOSTNAME option. The malicious script code is injected into the device's "DHCP Monitor" page (System->Monitor->DHCP Monitor) on the web-based interface which is accessible by the webui administrators.


Cross Site Scripting

Affected Products



Upgrade to one the following FortiOS versions:

  • 5.0 branch: 5.0.13 or above
  • 5.2 branch: 5.2.4 or above
  • 5.4 branch: 5.4.0 or above
4.3 and lower branches are not affected by this vulnerability.


Fortinet is pleased to thanks to Ziv Kamir from GamaSec for reporting a FortiOS vulnerability under responsible disclosure