FortiNAC - XSS in Show Audit Log

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiNAC may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the name fields observed in the policy audit logs.

Version Affected Solution
FortiNAC 9.4 9.4.0 through 9.4.3 Upgrade to 9.4.4 or above
FortiNAC 9.2 9.2 all versions Migrate to a fixed release
FortiNAC 9.1 9.1 all versions Migrate to a fixed release
FortiNAC 8.8 8.8 all versions Migrate to a fixed release
FortiNAC 8.7 8.7 all versions Migrate to a fixed release
FortiNAC 8.6 8.6 all versions Migrate to a fixed release
FortiNAC 8.5 8.5 all versions Migrate to a fixed release
FortiNAC 8.3 8.3 all versions Migrate to a fixed release
FortiNAC 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above

Acknowledgement

Internally discovered and reported by Heidi White of Fortinet QA team.

Timeline

2024-01-24: Initial publication