FortiOS - Host header injection vulnerability


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context.

This happens when the FortiGate has web filtering and category override enabled/configured.

Affected Products

FortiOS version 6.4.1 and below.

FortiOS version 6.2.9 and below.


Please upgrade to FortiOS version 6.4.2 or above.

Please upgrade to FortiOS version 6.2.10 or above.


Fortinet is pleased to thank Justin McCarthy for reporting this issue under responsible disclosure.