CVE-2019-6697: 
FortiOS vulnerability analysis and mitigation

An Improper Neutralization of Input vulnerability (CVE-2019-6697) affects FortiGate versions 6.2.0 through 6.2.1 and 6.0.0 through 6.0.6. The vulnerability exists in the hostname parameter of a DHCP packet under DHCP monitor page. This vulnerability was disclosed on November 25, 2019, and received a CVSS v3.1 base score of 5.3 (Medium severity) (FortiGuard Advisory, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists specifically in the hostname parameter processing of DHCP packets within the DHCP monitor page. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges (NVD).

If successfully exploited, this vulnerability allows an unauthenticated attacker in the same network as the FortiGate to perform a Stored Cross Site Scripting attack (XSS). This could potentially lead to the execution of unauthorized code or commands in the context of the user's browser (FortiGuard Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiOS version 6.2.2 or above for the 6.2.x branch, or to FortiOS version 6.0.7 or above for the 6.0.x branch (FortiGuard Advisory).