FortiGate SSL VPN Portal XSS Vulnerability 'redir'@/remote/loginredir Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-242 Final 1 1 2019-05-24T00:00:00 Current version 2019-05-24T00:00:00 2019-05-24T00:00:00 Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack. Execute unauthorized code or commands FortiOS 6.0.0 -> 6.0.4FortiOS 5.6.0 -> 5.6.7FortiOS 5.4 and below. Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0Workarounds:For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands:For FortiOS 5.0 and below branches:config vpn ssl settingsset sslvpn-enable disableendFor FortiOS 5.2, 5.4 and 5.6 branches:config vpn ssl settingsunset source-interfaceendRevision History:2017-11-23 Initial version2018-05-15 Clarify the workaround applied versions2018-09-06 Correct the exploit condition and risk level2019-05-15 Fixed version and Risk level updated https://fortiguard.fortinet.com/psirt/FG-IR-17-242 FortiGate SSL VPN Portal XSS Vulnerability 'redir'@/remote/loginredir https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html Fortinet is pleased to thank Stefan Viehböck from SEC Consult Vulnerability Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. CVE-2017-14186 6.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-242 FortiGate SSL VPN Portal XSS Vulnerability 'redir'@/remote/loginredir Reference> https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html