PSIRT Advisories

FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages

Summary

Three XSS vulnerabilities

• one via the the filter input in "Applications" under FortiView (CVE-2017-3131)
• the second via the action input during the activation of a FortiToken (CVE-2017-3132)
• the third via the Replacement Message HTML for SSL-VPN (CVE-2017-3133)
  

can be exploited by logged-in users only to load and run a remote (malicious) Javascript in a logged in browser.

Affected Products

• CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0
• CVE-2017-3132 : FortiOS versions upto 5.6.0
• CVE-2017-3133 : FortiOS versions upto 5.6.0
  

Solutions

• CVE-2017-3131 : Upgrade to FortiOS version 5.4.6 or 5.6.1
  
• CVE-2017-3132 : Upgrade to FortiOS version 5.2.12, 5.4.6 or 5.6.1
  
• CVE-2017-3133 : Upgrade to FortiOS version 5.2.12, 5.4.6 or 5.6.1

Workarounds

• CVE-2017-3131 and CVE-2017-3133 : Restrict "System Configuration" access to "None" for untrusted Admin Profiles.
  
• CVE-2017-3132 : Restrict "User & Device" access to "None" for untrusted Admin Profiles.
  

Acknowledgement

Fortinet is pleased to thank Patryk Bogdan of Secorda for reporting this vulnerability under responsible disclosure.