Invalidated Redirect to a Malicious Site through Admin Password Change Page Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-179 Final 1 1 2020-02-18T00:00:00 Current version 2020-02-18T00:00:00 2020-02-18T00:00:00 An improper input validation vulnerability in FortiOS admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.An attacker could potentially redirect unsuspecting admin users to a malicious website, should they click on a specifically crafted URL provided by the attacker and pointing to the FortiOS webUI admin password initial change page. Execute unauthorized code or commands FortiOS 6.2.1, 6.2.0, 6.0.8 and below versions until 5.4.0.(versions lower than 5.4.0 are not impacted) Upgrade to FortiOS 6.2.2 or 6.0.9 or above Fortinet is pleased to thank "Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev" for reporting this vulnerability under responsible disclosure. CVE-2019-6696 6.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-179 Invalidated Redirect to a Malicious Site through Admin Password Change Page Reference>