CVE-2017-14186
published 2017-11-29CVE-2017-14186: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote…
PriorityP430medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
3.72%
88.4th percentile
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | <= 5.0 | — |
| fortinet | fortios | <= 5.2.12 | — |
| fortinet | fortios | — | — |
| fortinet | fortios | 5.4.0 – 5.4.6 | — |
| fortinet | fortios | 5.6.0 – 5.6.2 | — |
| fortinet_inc | fortios | — | — |
| fortinet_inc | fortios | — | — |
| fortinet_inc | fortios | — | — |
| fortinet_inc | fortios | — | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions un...
vendor_fortinet·2017-11-29·CVSS 5.4
CVE-2017-14186 [MEDIUM] CWE-79 A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions un...
FG-IR-17-242: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions un...
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.
CVEs: CVE-2017-14186
CWEs: CWE-79
CVSS: 5.4 (medium)
Affected products: FortiOS, Fortinet
GHSA
GHSA-c8pf-wf99-pr3g: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6
ghsa_unreviewed·2022-05-14
CVE-2017-14186 [MEDIUM] CWE-79 GHSA-c8pf-wf99-pr3g: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.
No detection rules found.
Nuclei
FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2017-14186 [MEDIUM] FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below.
Template:
id: CVE-2017-14186
info:
name: FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
author: johnk3r
severity: medium
description: |
FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitize
2017-11-29
Published