Description
During the scan, Cytrix managed to find a Cross-site Scripting (CVE-2017-14186) vulnerability.
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below.
Due to failure in sanitizing the login redir parameter in the SSL-VPN web portal.
An attacker could inject arbitrary web scripts or HTML in the context of the victim’s browser.
A URL Redirection attack can also be achieved by injecting an external URL via the affected parameter.
Severity/Score
CVSS Version 3.x – 5.4 Medium
Recommendation
Update to the latest version released by Fortinet.
You may use the link below in order to do that.
References
https://www.fortiguard.com/psirt/FG-IR-17-242
https://cwe.mitre.org/data/definitions/79.html