XSS against CSRF failure page due referer not been XSS escaped Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-059 Final 1 1 2018-05-29T00:00:00 Current version 2018-05-29T00:00:00 2018-05-29T00:00:00 On FortiAuthenticator, a HTML page is returned to the user when the CSRF validation fails on referer mismatch. This page displays the faulty referer without sanitizing it. Therefore, in an attack scenario where the referer could be manipulated, the attacker could inject malicious scripts in the aforementioned HTML-page. Execute unauthorized code or commands FortAuthenticator below 5.3.0 versions. Upgrade to FortiAuthenticator 5.3.0 or above. Fortinet is pleased to thank Arun Narayanan from Applied-Risk reporting this vulnerability under responsible disclosure. CVE-2018-9186 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-059 XSS against CSRF failure page due referer not been XSS escaped Reference>