===================================================================== CERT-Renater Note d'Information No. 2023/VULN326 _____________________________________________________________________ DATE : 14/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiOS versions prior to 7.4.0, 7.2.5, 7.0.12, 6.4.13, 6.2.15, FortiProxy versions prior to 7.2.5, 7.0.11. ===================================================================== https://fortiguard.fortinet.com/psirt/FG-IR-23-106 _____________________________________________________________________ FortiOS & FortiProxy - Stored XSS in guest management page Summary An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS and FortiProxy GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting. Affected Products FortiProxy version 7.2.0 through 7.2.4 FortiProxy version 7.0.0 through 7.0.10 FortiOS version 7.2.0 through 7.2.4 FortiOS version 7.0.0 through 7.0.11 FortiOS version 6.4.0 through 6.4.12 FortiOS version 6.2.0 through 6.2.14 Solutions Please upgrade to FortiProxy version 7.2.5 or above Please upgrade to FortiProxy version 7.0.11 or above Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.5 or above Please upgrade to FortiOS version 7.0.12 or above Please upgrade to FortiOS version 6.4.13 or above Please upgrade to FortiOS version 6.2.15 or above Acknowledgement Internally discovered and reported by William Costa from Fortinet's CSE team Timeline 2023-09-01: Initial publication ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================