PSIRT Advisory

XSS vulnerability in the URL of the FortiGateCloud Login Page

Summary

An improper neutralization of input vulnerability in the FortiGateCloud login page may allow a remote unauthenticated attacker to perform a reflected cross site scripting attack (XSS) via a specifically crafted login request.

Impact

Unauthorized code execution

Affected Products

FortiGateCloud version 4.4

Solutions

Fixed in FortiGateCloud version 20.1.  Starting in 2020, FortiGateCloud will employ a new version syntax.

Acknowledgement

Fortinet is pleased to thank Johnatan Camargo from  PBI | Dynamic IT Security for reporting this vulnerability under responsible disclosure.