FortiWLC XSS injection via crafted HTTP POST request

Summary

The FortiWLC admin webUI is affected by XSS vulnerabilities, potentially exploitable by an authenticated user, via non-sanitized parameters "refresh" and "branchtotable" present in HTTP POST requests.  A successful attack would involve getting a targeted victim with an open session on the WebUI to visit a malicious URL crafted by the attacker.

Affected Products

FortiWLC 6.1-x (6.1-2, 6.1-4 and 6.1-5)
FortiWLC 7.0-x (7.0-7, 7.0-8, 7.0-9, 7.0-10)
FortiWLC 8.x (8.0, 8.1, 8.2 and 8.3.0-8.3.2)

Solutions

For FortiWLC 7.x branch, upgrade to 7.0.11 or newer versions. For FortiWLC 8.x branch, upgrade to 8.3.3 or newer versions.

Acknowledgement

Fortinet is pleased to thank Ali Ardic (Cyber Security Specialist and Researcher - G.A.I.S.) for reporting this vulnerability under responsible disclosure.