PSIRT Advisories

FortiMail - Cross-site scripting (XSS) in Webmail


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

Affected Products

FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.8
FortiMail version 6.0.0 through 6.0.12


Please upgrade to FortiMail version 7.2.0 or above
Please upgrade to FortiMail version 7.0.4 or above


Internally discovered by Giuseppe Cocomazzi.