CVE-2019-6697

Name of the Vulnerable Software and Affected Versions FortiGate versions 6.0.0 through 6.0.6 FortiGate versions 6.2.0 through 6.2.1

Description The issue is related to an Improper Neutralization of Input in the hostname parameter of a DHCP packet under the DHCP monitor page. This may allow an unauthenticated attacker in the same network as the FortiGate to perform a Stored Cross Site Scripting attack (XSS) by sending a crafted DHCP packet.

Recommendations For FortiGate versions 6.0.0 through 6.0.6, update to a version outside of this range to resolve the issue. For FortiGate versions 6.2.0 through 6.2.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the DHCP monitor page to minimize the risk of exploitation. Avoid using the hostname parameter in the affected DHCP packet until the issue is resolved.