PSIRT Advisory

Unauthenticated XSS (Cross Site Scripting) in FortiMail

Summary

An unauthenticated XSS vulnerability could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker.

Description

An unauthenticated XSS vulnerability could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker.

Impact

Information leak

Affected Products

FortiMail 

5.0.0 -> 5.2.9,

5.3.0 -> 5.3.8

Solutions

Upgrade to FortiMail 5.3.9

Acknowledgement

Fortinet is pleased to thank Ebrahim Hegazy for reporting this vulnerability under responsible disclosure.