PSIRT Advisories

Cross-site scripting (XSS) vulnerability via DHCP Hostname parameter


An attacker could send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature enabled).

Affected Products

FortiAnalyzer 5.6.0 and below versions.
FortiManager 5.6.0 and below versions.


Upgrade to FortiAnalyzer 5.6.1 or above.
Upgrade to FortiManager 5.6.1 or above.


Fortinet is pleased to thank Adrian Dabrowski of SBA Research gGmbH Sitz for reporting this vulnerability under responsible disclosure.