PSIRT Advisories

FortiGate SSL VPN web portal login redir XSS vulnerability


Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.

Affected Products

FortiOS 6.0.0 -> 6.0.4

FortiOS 5.6.0 -> 5.6.7

FortiOS 5.4 and below.


Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands:

For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable

For FortiOS 5.2, 5.4 and 5.6 branches:

config vpn ssl settings
unset source-interface

Revision History:

2017-11-23 Initial version
2018-05-15 Clarify the workaround applied versions
2018-09-06 Correct the exploit condition and risk level
2019-05-15 Fixed version and Risk level updated


Fortinet is pleased to thank Stefan Viehböck from SEC Consult Vulnerability Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.