HTML Injection Vulnerability observed in FortiAnalyzer and FortiTester


An improper neutralization of input vulnerability in FortiAnalyzer and FortiTester may allow a remote authenticated attacker to inject script related HTML tags via the Storage Connectors Name Parameter and IPv4/IPv6 address fields respectively.

Affected Products

FortiAnalyzer versions 6.2.5 , 6.4.1 and below.
FortiTester versions 3.8.0; 3.7.0 and below.


Please upgrade to FortiAnalyzer version 6.2.6, 6.4.2 or above.
Please upgrade to FortiTester version 3.9.0 or above.


Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher Danilo Costa for reporting this vulnerability under responsible disclosure.