Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-3978 — Cross-site Scripting in Fortinet Fortios

CWE-79 — Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
5.5%
top 9.71%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Fortinet Fortios
Timeline
PublishedApr 8
Latest updateMay 17

Description

The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

â–¶NVDfortinet/fortios17 versions+16

🔴Vulnerability Details

2
GHSA
GHSA-8cv6-hp47-6h2g: The Web User Interface (WebUI) in FortiOS 5↗2022-05-17
â–¶
CVEList
CVE-2016-3978: The Web User Interface (WebUI) in FortiOS 5↗2016-04-08
â–¶

💥Exploits & PoCs

1
Nuclei
Fortinet FortiOS - Open Redirect/Cross-Site Scripting
â–¶
CVE-2016-3978 — Cross-site Scripting in Fortinet | cvebase