FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.

Affected Products

FortiSIEM version 5.2.5 and below.


Please upgrade to FortiSIEM version 5.2.6 and above.


Fortinet is very pleased to thank Luca Sangalli ( ; ) for bringing this issue to our attention under responsible disclosure and for helping us make our products more secure.