Main Vulnerability Database Vulnerabilities #VU9503

Cross-site scripting (XSS) in FortiOS - CVE-2017-14186

Published: November 29, 2017 / Updated: May 27, 2019

Vulnerability identifier: #VU9503

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-14186

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiOS

Detailed vulnerability description

Vulnerability allows a remote authenticated attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.6, 5.2.0 to 5.2.12, 5.0 and below versions under SSL VPN web portal when processing the login "redir" parameter. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

How to mitigate CVE-2017-14186

Update to FortiOS 5.6.8, 6.0.5 or 6.2.0.

Sources

http://fortiguard.com/psirt/FG-IR-17-242

Cross-site scripting (XSS) in FortiOS - CVE-2017-14186

Detailed vulnerability description

How to mitigate CVE-2017-14186

Sources

Please verify you're human