FortiAnalyzer and FortiManager stored XSS vulnerability in report filters
Summary
A cross-site-scripting vulnerablity in FortiAnalyzer/FortiManager in advanced settings page could allow an administrator to inject scripts in the add filter field.
Affected Products
FortiManager: 5.0.0 - 5.0.11, 5.2.0 - 5.2.2
FortiAnalyzer: 5.0.0 - 5.0.12, 5.2.0 - 5.2.2
Solutions
Upgrade to:
FortiManager
5.0.12 and above
5.2.3 and above
5.4.0 and above
Â
FortiAnalyzer
5.0.13 and above
5.2.3 and above
5.4.0 and above
Â
FortiManager hardware models without hard disk are not affected.
This feature is disabled by default in all FortiManager versions.
Acknowledgement
Fortinet is pleased to thank Ismail Saygili for reporting a FortiManager/FortiAnalyzer vulnerability under responsible disclosure.