On FortiAuthenticator, a HTML page is returned to the user when the CSRF validation fails on referer mismatch. This page displays the faulty referer without sanitizing it. Therefore, in an attack scenario where the referer could be manipulated, the attacker could inject malicious scripts in the aforementioned HTML-page.
FortAuthenticator below 5.3.0 versions.
Upgrade to FortiAuthenticator 5.3.0 or above.