PSIRT

[CVE-2017-7733] GUI logindisclaimer redir parameter not XSS sanitized

Summary

A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the execution of arbitrary javascript code in the security context of the victim's browser.

Affected Products

Branch 5.6: FortiOS 5.6.0
Branch 5.4: FortiOS 5.4.0 to 5.4.5
Other branches are not affected

Solutions

Branch 5.6: Upgrade to FortiOS 5.6.1 or above Branch 5.4: Upgrade to FortiOS 5.4.6 or above.

Acknowledgement

Fortinet is pleased to thank Starhub Singapore and Andrew Ho, Maximus Consulting, and Donato Onofri of DXC Technology for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-17-113
Published Date	Oct 24, 2017
Component	GUI
Severity	Medium
CVSSv3 Score	5.6
Impact	Execute unauthorized code or commands
CVE ID	CVE-2017-7733
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

[CVE-2017-7733] GUI logindisclaimer redir parameter not XSS sanitized

Summary

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

[CVE-2017-7733] GUI logindisclaimer redir parameter not XSS sanitized

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center