XSS in Show Audit Log
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiNAC may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the name fields observed in the policy audit logs.
Version | Affected | Solution |
---|---|---|
FortiNAC 9.4 | 9.4.0 through 9.4.3 | Upgrade to 9.4.4 or above |
FortiNAC 9.2 | 9.2 all versions | Migrate to a fixed release |
FortiNAC 9.1 | 9.1 all versions | Migrate to a fixed release |
FortiNAC 8.8 | 8.8 all versions | Migrate to a fixed release |
FortiNAC 8.7 | 8.7 all versions | Migrate to a fixed release |
FortiNAC 8.6 | 8.6 all versions | Migrate to a fixed release |
FortiNAC 8.5 | 8.5 all versions | Migrate to a fixed release |
FortiNAC 8.3 | 8.3 all versions | Migrate to a fixed release |
FortiNAC 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
Acknowledgement
Internally discovered and reported by Heidi White of Fortinet QA team.Timeline
2024-01-24: Initial publication