Open redirect in FortiOS - CVE-2017-14186
Published: December 1, 2017 / Updated: May 27, 2019
Vulnerability identifier: #VU9504
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-14186
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiOS
FortiOS
Detailed vulnerability description
Vulnerability allows a remote authenticated attacker to perform open redirection attacks.
The vulnerability is caused by an input validation error in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.6, 5.2.0 to 5.2.12, 5.0 and below versions under SSL VPN web portal when processing the login "redir" parameter. A remote attacker can redirect users to an external website.
How to mitigate CVE-2017-14186
Update to FortiOS 5.6.8, 6.0.5 or 6.2.0.