====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN527
_____________________________________________________________________

DATE                : 21/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiManager, FortiAnalyzer
                               versions prior to 6.4.0.

=====================================================================
https://www.fortiguard.com/psirt/FG-IR-20-005
_____________________________________________________________________


XSS vulnerability in FortiManager and FortiAnalyzer

Summary

An improper neutralization of script-related HTML tags in a web page in
FortiManager and FortiAnalyzer may allow an attacker to perform a cross
site scripting (XSS) attack via the Identify Provider name field.


Impact

Execute unauthorized code or commands


Affected Products

FortiManager version 6.2.0, 6.2.1, 6.2.2 and 6.2.3 FortiAnalyzer version
6.2.0, 6.2.1, 6.2.2 and 6.2.3


Solutions

Please upgrade to the upcoming FortiManager release of 6.4.0 Please
upgrade to the upcoming FortiAnalyzer release of 6.4.0


Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security
for reporting this vulnerability under responsible disclosure.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================