DHCP Hostname HTML Injection
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-16-003
Final
1
1
2016-03-16T00:00:00
Current version
2016-03-16T00:00:00
2016-03-16T00:00:00
It is possible to inject malicious script through the DHCP HOSTNAME option. The malicious script code is injected into the device's "DHCP Monitor" page (System->Monitor->DHCP Monitor) on the web-based interface which is accessible by the webui administrators.
Cross Site Scripting
FortiOS
Upgrade to one the following FortiOS versions: 5.0 branch: 5.0.13 or above 5.2 branch: 5.2.4 or above 5.4 branch: 5.4.0 or above 4.3 and lower branches are not affected by this vulnerability.
https://fortiguard.fortinet.com/psirt/FG-IR-16-003
DHCP Hostname HTML Injection
https://cwe.mitre.org/data/definitions/80.html
https://cwe.mitre.org/data/definitions/80.html
Fortinet is pleased to thanks to Ziv Kamir from GamaSec for reporting a FortiOS vulnerability under responsible disclosure
DHCP Hostname HTML Injection
CVE-2015-3626
https://fortiguard.fortinet.com/psirt/FG-IR-16-003
DHCP Hostname HTML Injection
Reference>
https://cwe.mitre.org/data/definitions/80.html
https://cwe.mitre.org/data/definitions/80.html