From this webpage screenshot, we can extract the following key information about the vulnerability: Vulnerability Overview Vulnerability Type: Persistent Cross-Site Scripting (XSS) vulnerability. Affected Products: FortiManager and FortiAnalyzer series devices. CVE ID: CVE-2016-3196. CVSS Score: 4.1. Affected Scope Affected FortiManager Models: - FortiManager 200D, 300D, 1000D, 3900E, 4000E, Virtual Appliances. - FortiManager Legacy Models: 100, 100C, 400A, 400B, 400C, 1000C, 3000C & 4000. Affected FortiAnalyzer Models: - 200D, 300D, 1000D, 2000D, 3000E, 3500E, 3900E, VM Base & VM, GB1, GB5, GB25, GB100, GB500, GB2000. Vulnerability Details Vulnerable Location: In the module's parameter. Attack Vector: Remote attackers can exploit this vulnerability by injecting malicious scripts via a POST request using a low-privilege web application user account. Impact: Successful exploitation may lead to persistent phishing, session hijacking, external redirection to malicious sources, and application-side manipulation within the affected application module or connected web module context. Exploitation PoC: Steps for manually reproducing the vulnerability are provided, including logging in, navigating to a specific module, modifying the parameter value, and submitting the request. Exploitation Requirements: Requires a remote attacker to possess a low-privilege web application user account and low to moderate user interaction. Remediation and Patches Updated Versions: Customers can download updated versions to fix the vulnerability, including but not limited to 5.4.0, 5.2.6, etc. Security Risk: The security risk associated with application-side input validation in the value of the logo upload feature is assessed as medium.