Open redirect in Fortinet, FortiOS



Published: 2020-03-16 | Updated: 2020-08-08
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-6696
CWE-ID CWE-601
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		FortiOS
Operating systems & Components / Operating system

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Open redirect

EUVDB-ID: #VU34740

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6696

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiOS: 6.2.0 - 6.2.1

External links

http://fortiguard.com/psirt/FG-IR-19-179


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###