Javier Nieto

**Name of the Vulnerable Software and Affected Versions** FortiOS versions 5.0.x through 5.0.12 FortiOS versions 5.2.x through 5.2.2 FortiOS versions 5.4.x before 5.4.0 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the `redirect` parameter to "login". This is due to insufficient protection of the web page structure, which may allow an attacker to inject arbitrary JavaScript or HTML code. **Recommendations** For FortiOS versions 5.0.x through 5.0.12, update to version 5.0.13 or later. For FortiOS versions 5.2.x through 5.2.2, update to version 5.2.3 or later. For FortiOS versions 5.4.x before 5.4.0, update to version 5.4.0 or later. As a temporary workaround, consider restricting access to the "login" endpoint to minimize the risk of exploitation. Avoid using the `redirect` parameter in the affected API endpoint until the issue is resolved.