Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3261 XSS vulnerability in the UserID of Admin Users in FortiNAC 24 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiNAC Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Cross-site Scripting -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-12816 Original Bulletin: https://fortiguard.com/psirt/FG-IR-20-002 - --------------------------BEGIN INCLUDED TEXT-------------------- XSS vulnerability in the UserID of Admin Users in FortiNAC IR Number : FG-IR-20-002 Date : Sep 23, 2020 Risk : 3/5 Impact : Unauthorized code execution CVE ID : CVE-2020-12816 Summary An improper neutralization of input vulnerability in FortiNAC may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the UserID of Admin Users. Impact Unauthorized code execution Affected Products FortiNAC version 8.7.2 and below. Solutions Please upgrade to FortiNAC 8.7.3 or above. Acknowledgement Fortinet is pleased to thank Johnatan Camargo from Itau Unibanco for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX2v/auNLKJtyKPYoAQhLPA//ZNbWTxoRPFvFdcbCvgYAtcygpqmCxsi5 5hChrJcsX75qopZCwtSLASI6IhfzPJpC7ldWofzFniUcGwrnU13g+UlS4FhTln7x z4Nlhesm/LXbeUc+wi1FTP65HTeAmCF93IFot8fx1lOWupFPloSxZ4pix/j5Z2Ex o14sx6X6erukUB5vW1xT8IjoDKU/1hIx3AYCrlbKTl9cbWMtMCi62AcpCqHzxn0m aPyFd7H00KHOVGZ7C9ziAVXd03+QEmQ87f4kVVsyE1FU2nYqLCCL2Li8W9oWtIVp RbPNd6+6qQATDMgkrH2/XMRSASo52LOeKyFhAy00dMOecBw1zhzJUtl5OlzbSE7u ydJm/zTzx+UEXFI9cPJ3+y4n2j2b8OCERZt7N1CDkBqncbV0DmL47D2XiLzDZJh0 Ylj4qEhbV/BaF1L09MuDJ5MwyOfCgJCzR4+GKTWA7Nm3dup1JSQOZuqe7Krx+Orh 6ERbqNX7ewAxAVm6kEWX0dDRUVoXGd5KxldJ8zmUOAqcqblyWNua9OXGzVxWq6iY W/FE9FUBGb7iQfyyl+NdpneSv3m+h6IUFtHzobtO/KgP81kvHpVMw8iHzkfQTLK2 YT4uFqsnfFzVrw9eQnI6TPmY865V32Q/EIHL9oufga5Naw2G0grIm5YOeOI1+q36 9HnEfUBNgyY= =cBGL -----END PGP SIGNATURE-----