PSIRT Advisory

FortiOS multiple pre-auth XSS vulnerabilities on SSL VPN

Summary

Failure to sanitize the error or message handling parameters in the SSL VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) attack.

Impact

Cross-site scripting (XSS)

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.7

FortiOS 5.4 and below

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


Workarounds:


For workaround on the unfixed versions, if the SSL-VPN web portal feature is enabled, disable the SSL-VPN web portal service by applying the following CLI commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end


For FortiOS 5.2 and above branches:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.