CVE-2019-16149 – CVE-2019-16149 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2019-16149?

CVE-2019-16149 has a CVSS score of 5.5 (MEDIUM). CVE-2019-16149 is a cross-site scripting (XSS) vulnerability in FortiClientEMS version 6.2.0 that allows remote attackers to inject malicious scripts into user profiles. When exploited, this could enable unauthorized code execution on systems managed by the vulnerable FortiClientEMS instance. Organizations using FortiClientEMS 6.2.0 for endpoint management are affected.

📋 TL;DR

CVE-2019-16149 is a cross-site scripting (XSS) vulnerability in FortiClientEMS version 6.2.0 that allows remote attackers to inject malicious scripts into user profiles. When exploited, this could enable unauthorized code execution on systems managed by the vulnerable FortiClientEMS instance. Organizations using FortiClientEMS 6.2.0 for endpoint management are affected.

💻 Affected Systems

Products:

FortiClient Enterprise Management Server (EMS)

Versions: Version 6.2.0 only

Operating Systems: Windows Server (primary deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects FortiClientEMS 6.2.0; other versions are not vulnerable. Requires the EMS to be managing FortiClient endpoints.

📦 What is this software?

Forticlientems by Fortinet

View all CVEs affecting Forticlientems →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary code on managed FortiClient endpoints, potentially compromising all endpoints managed by the vulnerable EMS server and gaining persistent access to the network.

🟠

Likely Case

Attackers could steal session cookies, perform session hijacking, redirect users to malicious sites, or perform actions on behalf of authenticated users within the EMS interface.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires user interaction or specific conditions, internet-facing EMS servers could be targeted through crafted user profiles.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to have access to create or modify user profiles in the EMS system, or trick an administrator into doing so with malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiClientEMS 6.2.1 or later

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-19-072

Restart Required: Yes

Instructions:

1. Download FortiClientEMS 6.2.1 or later from Fortinet support portal. 2. Backup current EMS configuration. 3. Install the updated version following Fortinet upgrade procedures. 4. Restart the EMS service or server.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for user profile fields to reject or sanitize HTML/script content

Not applicable - requires code changes to EMS

Content Security Policy

all

Implement strict Content Security Policy headers to prevent script execution from untrusted sources

Add CSP header: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict access to EMS management interface to trusted administrators only using network segmentation
Implement web application firewall (WAF) rules to detect and block XSS payloads in user profile data

🔍 How to Verify

Check if Vulnerable:

Check FortiClientEMS version in administration interface: System > Dashboard > System Information

Check Version:

In EMS web interface: Navigate to System > Dashboard and check System Information panel

Verify Fix Applied:

Verify version is 6.2.1 or higher and test user profile fields for script injection by attempting to enter basic XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual user profile modifications
Administrative actions creating profiles with unusual content
EMS logs showing script tags or JavaScript in profile data

Network Indicators:

HTTP requests to EMS containing script tags in POST data
Unusual outbound connections from EMS server following profile updates

SIEM Query:

source="forticlientems" AND (message="*<script>*" OR message="*javascript:*" OR message="*onerror=*" OR message="*onload=*")

📊 Metadata

CVE ID: CVE-2019-16149

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.1% exploit probability (26.6th percentile)

Published: March 28, 2025

Last Updated: July 15, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-19-072 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16149, you might also want to check these: