FAC OWA injection vulnerability on login page

Summary

An improper neutralization of input during web page generation in FortiAuthenticator Agent for Outlook Web Access may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.

Affected Products

FortiAuthenticator Agent for Outlook Web Access v1.5 and below

Solutions

Upgrade the FortiAuthenticator Agent for Outlook Web Access on your Microsoft Exchange servers to v1.6. The installer is available for download from within the administrative web interface of FortiAuthenticator 6.0.1 or greater; however it is not necessary to upgrade your FortiAuthenticator to resolve this issue.
Customers who do not want to upgrade their FortiAuthenticator appliance or who do not have a spare lab unit are advised to contact their Fortinet support engineer in order to obtain the FortiAuthenticator Agent for Outlook Web Access v1.6 installer.
To contact Fortinet support team please follow this link:
https://www.fortinet.com/support/contact.html

Acknowledgement

Fortinet is pleased to thank Konstantinos Kanavidis from DEVOQ Technology for reporting this vulnerability under responsible disclosure.