PSIRT Advisory

FortiOS reflected XSS in the SSL VPN web portal error page parameters

Summary

Failure to sanitize input in the SSL VPN web portal may allow an attacker to perform a reflected Cross-site Scripting (XSS) attack via multiple parameters of the error page HTTP request.

Impact

Cross-site Scripting (XSS)

Affected Products

CVE-2019-5586

FortiOS 6.0.0 to 6.0.4

FortiOS 5.2.0 to 5.6.10


CVE-2019-5588

FortiOS 6.0.0 to 6.0.4

Solutions

Upgrade to FortiOS 5.6.11, 6.0.5 or 6.2.0


Workarounds:


Disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end


Revision History:

05-24-2019 Initial version

08-21-2019 Add 5.6 branch fixing for CVE-2019-5586

Acknowledgement

Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for reporting CVE-2019-5586  and Nathan HARDY Cybersecurity Engineer/Consultant at Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures.