[CVE-2017-7733] GUI logindisclaimer redir parameter not XSS sanitized Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-113 Final 1 1 2017-10-24T00:00:00 Current version 2017-10-24T00:00:00 2017-10-24T00:00:00 A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the execution of arbitrary javascript code in the security context of the victim's browser. Execute unauthorized code or commands Branch 5.6: FortiOS 5.6.0Branch 5.4: FortiOS 5.4.0 to 5.4.5Other branches are not affected Branch 5.6: Upgrade to FortiOS 5.6.1 or aboveBranch 5.4: Upgrade to FortiOS 5.4.6 or above. Fortinet is pleased to thank Starhub Singapore and Andrew Ho, Maximus Consulting, and Donato Onofri of DXC Technology for reporting this vulnerability under responsible disclosure. CVE-2017-7733 5.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-113 [CVE-2017-7733] GUI logindisclaimer redir parameter not XSS sanitized Reference>