FortiWeb 5.0.2 and lower are vulnerable to cross-site scripting (CVE-2014-1955), HTTP header injection (CVE-2014-1956) and privilege escalation (CVE-2014-1957) issues.

A remote unauthenticated attacker may be able to execute arbitrary JavaScript in the context of the administrator's browser session. In addition, authenticated users may be able to escalate their privileges.

Upgrade to FortiWeb 5.0.3 or higher.

FortiWeb 4.4.7 and lower. FortiWeb 5.0.2 and lower.

Check the version

• http://www.fortiguard.com/advisory/FG-IR-14-009/

---

Updated on 2015-03-25