PSIRT Advisory

FortiCloud XSS vulnerability in on-demand sandbox GUI

Summary

Before Dec 5th, 2017, a Cross-Site-Scripting (XSS) vulnerability in forticloud.com on-demand sandbox GUI may have allowed an authenticated user to inject arbitrary web code or HTML in the context of the victim's browser via the upload of a maliciously crafted file.

Impact

Cross-site Scripting (XSS)

Affected Products

FortiCloud 3.2.0 and below (Before Dec 5, 2017)

Solutions

FortiCloud 3.2.1 (Online since Dec 5, 2017)

Acknowledgement

Fortinet is pleased to thank Mohamed KEFFOUS of SOGETI for reporting this vulnerability under responsible disclosure.