| IR Number | FG-IR-19-034 |
| Date | Aug 21, 2019 |
| Severity |
Medium |
| Impact | Cross-site Scripting (XSS) |
| CVE ID | CVE-2019-5586 |
| Affected Products |
FortiOS
:
6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0
|
| CVRF | Download |
Refine Search
PSIRT Advisories
FortiOS reflected XSS in the SSL VPN web portal error page parameters
Summary
Failure to sanitize input in the SSL VPN web portal may allow an attacker to perform a reflected Cross-site Scripting (XSS) attack via multiple parameters of the error page HTTP request.
Affected Products
CVE-2019-5586
FortiOS 6.0.0 to 6.0.4
FortiOS 5.2.0 to 5.6.10
CVE-2019-5588
FortiOS 6.0.0 to 6.0.4
Solutions
Upgrade to FortiOS 5.6.11, 6.0.5 or 6.2.0
Workarounds:
Disable the SSL-VPN web portal service by applying the following CLI commands:
config vpn ssl settings
unset source-interface
end
Revision History:
05-24-2019 Initial version
08-21-2019 Add 5.6 branch fixing for CVE-2019-5586
Acknowledgement
Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for reporting CVE-2019-5586 and Nathan HARDY Cybersecurity Engineer/Consultant at Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures.