cbcvebase.
CVE-2017-14186
published 2017-11-29

CVE-2017-14186: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote…

PriorityP430medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
3.72%
88.4th percentile
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.

Affected

10 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios<= 5.0
fortinetfortios<= 5.2.12
fortinetfortios
fortinetfortios5.4.0 – 5.4.6
fortinetfortios5.6.0 – 5.6.2
fortinet_incfortios
fortinet_incfortios
fortinet_incfortios
fortinet_incfortios

CVSS provenance

nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.