FortiWeb 5.0, 5.1 and 5.2.0 are vulnerable to multiple reflective cross-site scripting issues. Several parameters in the web management interface URLs /user/ldap_user/check_dlg and /user/radius_user/check_dlg lack sufficient input filtering.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Upgrade to FortiWeb 5.2.1 or higher.

FortiWeb 5.0.x, 5.1.x and 5.2.0.

Check the version

• http://www.fortiguard.com/advisory/FG-IR-14-012/

---

Updated on 2015-03-25