Headline
CVE-2022-26114: Fortiguard
An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
** PSIRT Advisories**
FortiMail - Cross-site scripting (XSS) in Webmail
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
Affected Products
FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.8
FortiMail version 6.0.0 through 6.0.12
Solutions
Please upgrade to FortiMail version 7.2.0 or above
Please upgrade to FortiMail version 7.0.4 or above
Acknowledgement
Internally discovered by Giuseppe Cocomazzi.