Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-14186Cross-site Scripting in Fortinet Fortios

CWE-79Cross-site Scripting6 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
3.0%
top 13.42%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Fortinet FortiosFortinet INC Fortios
Timeline
PublishedNov 29
Latest updateMay 14

Description

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDfortinet/fortios5.4.05.4.6+3
CVEListV5fortinet_inc/fortios4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-c8pf-wf99-pr3g: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 62022-05-14
CVEList
CVE-2017-14186: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 62017-11-29

💥Exploits & PoCs

1
Nuclei
FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting

📋Vendor Advisories

1
Fortinet
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions un...2017-11-29

🕵️Threat Intelligence

1
Greynoiseio
NoiseLetter October 2025
CVE-2017-14186 — Cross-site Scripting in Fortinet | cvebase