PSIRT Advisory

FortiManager and FortiAnalyzer Persistent XSS vulnerability

Summary

An XSS vulnerablity in FortiManager/FortiAnalyzer could allow privileged guest user accounts and restricted user accounts to inject malicious script to the application-side or client-side of the appliance web-application; this potentially enables XSS attacks.


Description

An XSS vulnerablity in FortiManager/FortiAnalyzer could allow privileged guest user accounts and restricted user accounts to inject malicious script to the application-side or client-side of the appliance web-application; this potentially enables XSS attacks.


Impact

XSS attacks

Affected Products

FortiManager: 5.0.0 - 5.0.11, 5.2.0 - 5.2.5, 5.4.0

FortiAnalyzer: 5.0.0 - 5.0.12, 5.2.0 - 5.2.5, 5.4.0

Solutions

Upgrade to:

FortiManager 

5.4.1 and above

5.2.6 and above

5.0.12 and above


FortiAnalyzer 

5.4.1 and above

5.2.6 and above

5.0.13 and above

Acknowledgement

Fortinet is pleased to thank Vulnerability Lab for reporting a FortiManager/FortiAnalyzer vulnerability under responsible disclosure.