PSIRT Advisory

XSS Vulnerability in Disclaimer Description of a Replacement Message in FortiWeb

Summary

An improper neutralization of input vulnerability in FortiWeb may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.

Impact

Unauthorized code execution

Affected Products

FortiWeb version 6.2.2 and below.

FortiWeb version 6.3.0.

Solutions

Please upgrade to FortiWeb version 6.2.3 or above

Please upgrade to FortiWeb version 6.3.1 or above

Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI for reporting this vulnerability under responsible disclosure.