Main Vulnerability Database Vulnerabilities #VU305

Persistent Cross-site scripting (XSS) in FortiVoice - #VU305

Published: August 12, 2016

Vulnerability identifier: #VU305

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiVoice

Detailed vulnerability description

The vulnerability allow a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can bypass implemented filtering rules and permanently inject arbitrary HTML and script code and execute it in user’s browser in context of vulnerable website, when the victim visits page with XSS exploit.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Update to the latest version 5.0.5 and above.

Sources

http://fortiguard.com/advisory/fortivoice-5-0-filter-bypass-persistent-web-vulnerabilities

Persistent Cross-site scripting (XSS) in FortiVoice - #VU305

Detailed vulnerability description

Remediation

Sources

Please verify you're human