CVE-2012-6347

Name of the Vulnerable Software and Affected Versions FortiGate FortiDB versions prior to 4.4.2

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling. Remote attackers can inject arbitrary web script or HTML via the conversationContext parameter to various API endpoints, including "admin/auditTrail.jsf", "mapolicymgmt/targetsMonitorView.jsf", "vascan/globalsummary.jsf", "vaerrorlog/vaErrorLog.jsf", "database/listTargetGroups.jsf", "sysconfig/listSystemInfo.jsf", "vascan/list.jsf", "network/router.jsf", "mapolicymgmt/editPolicyProfile.jsf", or "mapolicymgmt/maPolicyMasterList.jsf".

Recommendations For FortiGate FortiDB versions prior to 4.4.2, update to version 4.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is applied. Avoid using the conversationContext parameter in the affected API endpoints until the issue is resolved.