Fortinet FortiOS, FortiProxy, and FortiSASE Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Fortinet FortiOS versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.7, 7.2 (all versions), 7.0 (all versions), and 6.4 (all versions), as well as FortiProxy versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.9, 7.2 (all versions), and 7.0 (all versions). Additionally, FortiSASE version 25.3.a is affected. This vulnerability allows an unauthenticated attacker to perform reflected cross-site scripting by sending crafted HTTP requests.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users of Fortinet FortiOS should upgrade to version 7.6.4 or 7.4.9, depending on their current version. Fortinet FortiProxy users should upgrade to version 7.6.4 or migrate to a fixed release. Fortinet FortiSASE customers do not need to take any action, as Fortinet has already remediated this issue in version 25.3.b.