====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN528
_____________________________________________________________________

DATE                : 22/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiManager versions prior to
                                       6.2.6, 6.4.2,
                     FortiAnalyzer versions prior to 3.9.0.

=====================================================================
https://fortiguard.com/psirt/FG-IR-20-054
_____________________________________________________________________


HTML Injection Vulnerability observed in FortiAnalyzer and FortiTester

IR Number : FG-IR-20-054

Date      : Sep 21, 2020

Risk      : 3/5

Impact    : Unauthorized code execution

CVE ID    : CVE-2020-12815, CVE-2020-12817

CVE ID    : CVE-2020-12815, CVE-2020-12817


Summary

An improper neutralization of input vulnerability in FortiAnalyzer and
FortiTester may allow a remote authenticated attacker to inject script
related HTML tags via the Storage Connectors Name Parameter and
IPv4/IPv6 address fields respectively.


Impact

Unauthorized code execution


Affected Products

FortiAnalyzer versions 6.2.5 , 6.4.1 and below. FortiTester versions
3.8.0; 3.7.0 and below.


Solutions

Please upgrade to FortiAnalyzer version 6.2.6, 6.4.2 or above Please
upgrade to FortiTester version 3.9.0 or above.


Acknowledgement

Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher
Danilo Costa for reporting this vulnerability under responsible
disclosure.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================