FortiAnalyzer and FortiManager stored XSS vulnerability in report filters
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-16-051
Final
1
1
2016-10-05T00:00:00
Current version
2016-10-05T00:00:00
2016-10-05T00:00:00
A cross-site-scripting vulnerablity in FortiAnalyzer/FortiManager in advanced settings page could allow an administrator to inject scripts in the add filter field.
Access to another privileged administrator user's data
FortiManager: 5.0.0 - 5.0.11, 5.2.0 - 5.2.2 FortiAnalyzer: 5.0.0 - 5.0.12, 5.2.0 - 5.2.2
Upgrade to: FortiManager 5.0.12 and above 5.2.3 and above 5.4.0 and above  FortiAnalyzer 5.0.13 and above 5.2.3 and above 5.4.0 and above  FortiManager hardware models without hard disk are not affected. This feature is disabled by default in all FortiManager versions.
Fortinet is pleased to thank Ismail Saygili for reporting a FortiManager/FortiAnalyzer vulnerability under responsible disclosure.
FortiAnalyzer and FortiManager stored XSS vulnerability in report filters
CVE-2015-7363
https://fortiguard.fortinet.com/psirt/FG-IR-16-051
FortiAnalyzer and FortiManager stored XSS vulnerability in report filters
Reference>