FortiAnalyzer - XSS vulnerability due to AngularJS Client-Side Template injection


An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.

Affected Products

FortiAnalyzer version 7.2.0 through 7.2.1.
FortiAnalyzer version 7.0.0 through 7.0.4
FortiAnalyzer version 6.4.0 through 6.4.8
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.0.0 through 6.0.11


Please upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.5 or above
Please upgrade to FortiAnalyzer version 6.4.9 or above


Fortinet is pleased to thank Robertino Bristiel and Michał Janczyk from NASK SA for reporting this vulnerability under responsible disclosure.