| IR Number | FG-IR-19-301 |
| Date | Sep 7, 2021 |
| Severity |
Medium |
| CVSSv3 Score | 4.7 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2019-16151 |
| Affected Products |
FortiOS
:
6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
|
| CVRF | Download |
| Language |
Refine Search
PSIRT Advisories
FortiOS - Host header injection vulnerability
Summary
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context.
This happens when the FortiGate has web filtering and category override enabled/configured.
Affected Products
FortiOSÂ version 6.4.1 and below.
FortiOS version 6.2.9 and below.
Solutions
Please upgrade to FortiOSÂ version 6.4.2 or above.
Please upgrade to FortiOS version 6.2.10 or above.