CVE-2015-1451

Name of the Vulnerable Software and Affected Versions FortiOS version 5.0 Patch 7 build 4457

Description The issue is caused by insufficient protection of the web page structure, allowing remote authenticated users to inject arbitrary web script or HTML via the WTP Name or WTP Active Software Version field in a CAPWAP Join request. This can enable an attacker to inject arbitrary JavaScript or HTML code.

Recommendations For FortiOS version 5.0 Patch 7 build 4457, consider disabling the CAPWAP Join request functionality until a patch is available. Restrict access to the WTP Name and WTP Active Software Version fields to minimize the risk of exploitation. Avoid using these fields in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.