Headline
CVE-2022-38374: Fortiguard
A improper neutralization of input during web page generation (‘cross-site scripting’) in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews.
** PSIRT Advisories**
FortiADC - Persistent XSS in Log pages
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via HTTP fields observed in the traffic and event logviews.
Affected Products
FortiADC version 7.0.0 through 7.0.2
FortiADC version 6.2.0 through 6.2.4
Solutions
Please upgrade to FortiADC version 7.1.0 or above
Please upgrade to FortiADC version 7.0.3 or above
Please upgrade to FortiADC version 6.2.4 or above
Acknowledgement
Fortinet is pleased to thank Almas Zhurtanov from Secura for reporting this vulnerability under responsible disclosure.