CVE-2022-39950

Name of the Vulnerable Software and Affected Versions FortiManager versions 6.0.0 through 7.0.4 FortiAnalyzer versions 6.0.0 through 7.0.4

Description The issue is related to an improper neutralization of input during web page generation, which may allow a low privilege level attacker to perform a cross-site scripting (XSS) attack. This can be achieved by posting a crafted CKeditor "protected" comment. The vulnerability can be exploited by a remote attacker to carry out cross-site scripting attacks.

Recommendations For FortiManager versions 6.0.0 through 7.0.4, update to a version that includes the fix for this issue. For FortiAnalyzer versions 6.0.0 through 7.0.4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the report templates feature until a patch is available. Avoid using the CKeditor "protected" comment feature in the affected versions until the issue is resolved.