FortiOS stored XSS vulnerability in the policy global-label parameter
FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named 'global-label' . This can however only be exploited by an administrator with write privileges.
Execute unauthorized code or commands
* FortiOS 5.2 branch from 5.2.0 to 5.2.10
* FortiOS 5.0 branch
* FortiOS 5.0 and 5.2 users must upgrade to FortiOS 5.2.11 or 5.4.0 and above
* FortiOS 4.3 branch is not vulnerable
Fortinet is pleased to thank Mohamed Keffous from CAP GEMINI/SOGETI for reporting this vulnerability under responsible disclosure.