CVE-2012-0941

Name of the Vulnerable Software and Affected Versions Fortinet FortiGate UTM WAF appliances with FortiOS versions prior to 4.3.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via several vectors, including the Endpoint Monitor, Dialup List, or Log&Report Display modules. Additionally, the fields sorted opt parameter to /user/auth/list or /endpointcompliance/app detect/predefined sig list API endpoints is vulnerable. This is due to insufficient protection of the web page structure, which can be exploited by a remote attacker to inject arbitrary JavaScript or HTML code.

Recommendations For FortiOS versions prior to 4.3.6, update to version 4.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Endpoint Monitor, Dialup List, and Log&Report Display modules until a patch is available. Avoid using the fields sorted opt parameter in the affected API endpoints until the issue is resolved.