PSIRT

data pattern name XSS in FortiCASB

Summary

Failure to sanitize input in the customized data pattern webpage of FortiCASB may allow an authenticated attacker to conduct a stored XSS attack via the name parameter.

Affected Products

FortiCASB all versions below 4.1.0

Solutions

FortiCASB had been upgraded to 4.1.0 to address this issue.

Acknowledgement

Fortinet is pleased to thank Johnatan Camargo from PBI | Dynamic IT Security for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-19-001
Published Date	May 15, 2019
Component	GUI
Severity	Medium
Discovered	External
Attack Type	Authenticated
Known Exploited	No
CVSSv3 Score	5.3
Impact	Execute unauthorized code or commands
Download	CVRF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

data pattern name XSS in FortiCASB

Summary

Affected Products

Solutions

Acknowledgement

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

data pattern name XSS in FortiCASB

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center