OpenRedirect in Malicious Generated PDF Document on FortiAnalyzer and FortiManager
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-18-022
Final
1
1
2018-06-22T00:00:00
Current version
2018-06-22T00:00:00
2018-06-22T00:00:00
An open redirect vulnerability exists in FortiAnalyzer and FortiManager when a user of the GUI is converting an HTML table to a PDF document via the FortiView feature, due to lack of user input sanitization.An attacker may be able to social engineer a user of the FortiAnalyzer/FortiManager GUI into generating a PDF file containing malicious URLs.
Open redirection
FortiAnalyzer 6.0.0 and below.FortiManager 6.0.0 and below, when the FortiView feature is enabled.
FortiAnalyzer: upgrade to 6.0.1 or above. FortiManager: upgrade to 6.0.1 or above. Since both FortiAnalyzer and FortiManager already have tokens to block Cross-site Request Forgery (CSRF) attacks, the risk of successful exploitation of this vulnerability is low, and mostly relies on social engineering.
Fortinet is pleased to thank Donato Onofri, Luca Napolitano and Francesca Perrone of Business Integration Partners S.p.A. reporting this vulnerability under responsible disclosure.
FortiManager 6.0.0
FortiManager 5.6.5
FortiManager 5.6.4
FortiManager 5.6.3
FortiManager 5.6.2
FortiManager 5.6.1
FortiManager 5.6.0
FortiManager 5.4.7
FortiManager 5.4.6
FortiManager 5.4.5
FortiManager 5.4.4
FortiManager 5.4.3
FortiManager 5.4.2
FortiManager 5.4.1
FortiManager 5.4.0
FortiAnalyzer 6.0.0
FortiAnalyzer 5.6.5
FortiAnalyzer 5.6.4
FortiAnalyzer 5.6.3
FortiAnalyzer 5.6.2
FortiAnalyzer 5.6.1
FortiAnalyzer 5.6.0
FortiAnalyzer 5.4.7
FortiAnalyzer 5.4.6
FortiAnalyzer 5.4.5
FortiAnalyzer 5.4.4
FortiAnalyzer 5.4.3
FortiAnalyzer 5.4.2
FortiAnalyzer 5.4.1
FortiAnalyzer 5.4.0
OpenRedirect in Malicious Generated PDF Document on FortiAnalyzer and FortiManager
CVE-2018-1355
FortiManager-6.0.0
FortiManager-5.6.5
FortiManager-5.6.4
FortiManager-5.6.3
FortiManager-5.6.2
FortiManager-5.6.1
FortiManager-5.6.0
FortiManager-5.4.7
FortiManager-5.4.6
FortiManager-5.4.5
FortiManager-5.4.4
FortiManager-5.4.3
FortiManager-5.4.2
FortiManager-5.4.1
FortiManager-5.4.0
FortiAnalyzer-6.0.0
FortiAnalyzer-5.6.5
FortiAnalyzer-5.6.4
FortiAnalyzer-5.6.3
FortiAnalyzer-5.6.2
FortiAnalyzer-5.6.1
FortiAnalyzer-5.6.0
FortiAnalyzer-5.4.7
FortiAnalyzer-5.4.6
FortiAnalyzer-5.4.5
FortiAnalyzer-5.4.4
FortiAnalyzer-5.4.3
FortiAnalyzer-5.4.2
FortiAnalyzer-5.4.1
FortiAnalyzer-5.4.0
0
https://fortiguard.fortinet.com/psirt/FG-IR-18-022
OpenRedirect in Malicious Generated PDF Document on FortiAnalyzer and FortiManager
Reference>