PSIRT Advisories

FortiOS web GUI logindisclaimer redir parameter XSS vulnerability


A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the execution of arbitrary javascript code in the security context of the victim's browser.

Affected Products

Branch 5.6: FortiOS 5.6.0

Branch 5.4: FortiOS 5.4.0 to 5.4.5

Other branches are not affected


Branch 5.6: Upgrade to FortiOS 5.6.1 or above

Branch 5.4: Upgrade to FortiOS 5.4.6 or above.


Fortinet is pleased to thank Starhub Singapore and Andrew Ho, Maximus Consulting,  and Donato Onofri of DXC Technology for reporting this vulnerability under responsible disclosure.