QID 376130

FortiManager provides centralized policy-based provisioning, device configuration, and update management for FortiGate, FortiWiFi, and FortiMail appliances, and FortiClient end-point security agents, plus end-to-end network monitoring and device control.

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-supplied data in FortiManager and FortiAnalyzer user interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website

Affected Products:
FortiManager Versions: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 7.0.0
FortiAnalyzer Versions: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 7.0.0

QID Detection Logic(Authenticated):
QID will fire the command to get system status and will match the affected version

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing and drive-by-download attacks.