XSS vulnerability in FortiAuthenticator OWA Agent
An improper neutralization of input during web page generation in FortiAuthenticator Agent for Outlook Web Access may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.
Execute unauthorized code or commands
FortiAuthenticator Agent for Outlook Web Access v1.5 and below
Upgrade the FortiAuthenticator Agent for Outlook Web Access on your Microsoft Exchange servers to v1.6. The installer is available for download from within the administrative web interface of FortiAuthenticator 6.0.1 or greater; however it is not necessary to upgrade your FortiAuthenticator to resolve this issue.
Customers who do not want to upgrade their FortiAuthenticator appliance or who do not have a spare lab unit are advised to contact their Fortinet support engineer in order to obtain the FortiAuthenticator Agent for Outlook Web Access v1.6 installer.
To contact Fortinet support team please follow this link:
Fortinet is pleased to thank Konstantinos Kanavidis from DEVOQ Technology for reporting this vulnerability under responsible disclosure.