Cross-site scripting (XSS) vulnerability via DHCP Hostname parameter
An attacker could send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature enabled).
FortiAnalyzer 5.6.0 and below versions.
FortiManager 5.6.0 and below versions.
Upgrade to FortiAnalyzer 5.6.1 or above.
Upgrade to FortiManager 5.6.1 or above.
Fortinet is pleased to thank Adrian Dabrowski of SBA Research gGmbH Sitz for reporting this vulnerability under responsible disclosure.