FortiOS Reflected XSS in Web Proxy Disclaimer Response web page


A reflected XSS vulnerability exists in FortiOS web proxy disclaimer response web pages, potentially  exploitable by an unauthenticated attacker, via sending a maliciously crafted URL to the victim. The victim visiting the malicious URL would then have arbitrary javascript code executed in the security context of her/his browser.

Affected Products

FortiOS 5.6.0
FortiOS 5.4.0 to 5.4.5
FortiOS 5.2.0 to 5.2.11


Upgrade to FortiOS 5.2.12, 5.4.6 or 5.6.1


Fortinet is pleased to thank "usd AG" and "Serge Ivanov of Payvision BV" for reporting this vulnerability under responsible disclosure.