PSIRT Advisories

FortiWeb - Reflected cross-site scripting in SAML login


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiWeb may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the SAML login webpage.

Affected Products

FortiWeb version 6.4.1 and 6.4.0.


Upgrade to the upcoming FortiWeb version 7.0.0 or above.
Upgrade to FortiWeb version 6.4.2 or above.


Internally discovered and reported by Mattia Fecit of the Fortinet Product Security team.