CVE-2023-26206: 
FortiNAC vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was identified in Fortinet FortiNAC versions 9.4.0 - 9.4.2, 9.2.0 - 9.2.8, 9.1.0 - 9.1.10, and 7.2.0. The vulnerability (CVE-2023-26206) was discovered internally by Heidi White of the Fortinet QA team and was publicly disclosed on February 13, 2024. This security flaw affects the GUI component of FortiNAC, specifically in the policy audit logs functionality (Fortinet Advisory).

The vulnerability is classified as an improper neutralization of input during web page generation (CWE-79) that exists in the name fields observed in the policy audit logs. The CVSS v3.1 base score is 6.1 (Medium) according to NVD's assessment, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Fortinet's own assessment rated it slightly higher at 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an attacker to execute unauthorized code or commands through stored cross-site scripting attacks. This can potentially lead to unauthorized access and manipulation of the affected system through the policy audit logs interface (Fortinet Advisory).

Fortinet has released fixes for the affected versions. Users of FortiNAC 9.4.0-9.4.2 should upgrade to version 9.4.4 or above. For FortiNAC 7.2.0-7.2.2, upgrading to version 7.2.3 or above is recommended. Users of versions 9.2.0-9.2.8 and 9.1.0-9.1.10 should migrate to a fixed release (Fortinet Advisory).