FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-19-197
Final
1
1
2020-01-27T00:00:00
Current version
2020-01-27T00:00:00
2020-01-27T00:00:00
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.
Unauthorized code execution
FortiSIEM version 5.2.5 and below.
Please upgrade to FortiSIEM version 5.2.6 and above.
Fortinet is very pleased to thank Luca Sangalli (luca91.sanga@gmail.com ; https://it.linkedin.com/in/luca-sangalli-0a6462105 ) for bringing this issue to our attention under responsible disclosure and for helping us make our products more secure.
FortiSIEM 5.2.5
FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-17651
FortiSIEM-5.2.5
3.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:U/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-19-197
FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Reference>