Operating System:

[Appliance]

Published:

24 September 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.3261 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3261
        XSS vulnerability in the UserID of Admin Users in FortiNAC
                             24 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiNAC
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Cross-site Scripting            -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12816  

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-20-002

- --------------------------BEGIN INCLUDED TEXT--------------------

XSS vulnerability in the UserID of Admin Users in FortiNAC

IR Number : FG-IR-20-002

Date      : Sep 23, 2020

Risk      : 3/5

Impact    : Unauthorized code execution

CVE ID    : CVE-2020-12816

Summary

An improper neutralization of input vulnerability in FortiNAC may allow a
remote authenticated attacker to perform a stored cross site scripting attack
(XSS) via the UserID of Admin Users.

Impact

Unauthorized code execution

Affected Products

FortiNAC version 8.7.2 and below.

Solutions

Please upgrade to FortiNAC 8.7.3 or above.

Acknowledgement

Fortinet is pleased to thank Johnatan Camargo from Itau Unibanco for reporting
this vulnerability under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2v/auNLKJtyKPYoAQhLPA//ZNbWTxoRPFvFdcbCvgYAtcygpqmCxsi5
5hChrJcsX75qopZCwtSLASI6IhfzPJpC7ldWofzFniUcGwrnU13g+UlS4FhTln7x
z4Nlhesm/LXbeUc+wi1FTP65HTeAmCF93IFot8fx1lOWupFPloSxZ4pix/j5Z2Ex
o14sx6X6erukUB5vW1xT8IjoDKU/1hIx3AYCrlbKTl9cbWMtMCi62AcpCqHzxn0m
aPyFd7H00KHOVGZ7C9ziAVXd03+QEmQ87f4kVVsyE1FU2nYqLCCL2Li8W9oWtIVp
RbPNd6+6qQATDMgkrH2/XMRSASo52LOeKyFhAy00dMOecBw1zhzJUtl5OlzbSE7u
ydJm/zTzx+UEXFI9cPJ3+y4n2j2b8OCERZt7N1CDkBqncbV0DmL47D2XiLzDZJh0
Ylj4qEhbV/BaF1L09MuDJ5MwyOfCgJCzR4+GKTWA7Nm3dup1JSQOZuqe7Krx+Orh
6ERbqNX7ewAxAVm6kEWX0dDRUVoXGd5KxldJ8zmUOAqcqblyWNua9OXGzVxWq6iY
W/FE9FUBGb7iQfyyl+NdpneSv3m+h6IUFtHzobtO/KgP81kvHpVMw8iHzkfQTLK2
YT4uFqsnfFzVrw9eQnI6TPmY865V32Q/EIHL9oufga5Naw2G0grIm5YOeOI1+q36
9HnEfUBNgyY=
=cBGL
-----END PGP SIGNATURE-----