CVE-2017-7739

Name of the Vulnerable Software and Affected Versions: FortiOS versions 5.2.0 through 5.2.11 FortiOS versions 5.4.0 through 5.4.5 FortiOS version 5.6.0

Description: The issue is caused by insufficient protection of the web page structure, allowing a remote attacker to inject arbitrary JavaScript or HTML code using a specially crafted URI. This is a reflected Cross-site Scripting (XSS) vulnerability in the web proxy disclaimer response web pages. An unauthenticated attacker can exploit this by sending a maliciously crafted URL to the victim, resulting in the execution of arbitrary JavaScript code in the context of the victim's browser.

Recommendations: For FortiOS versions 5.2.0 through 5.2.11, update to a version that includes the fix for this issue. For FortiOS versions 5.4.0 through 5.4.5, update to a version that includes the fix for this issue. For FortiOS version 5.6.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the web proxy disclaimer response web pages until a patch is available. Avoid using specially crafted URLs that could exploit this issue until the vulnerability is resolved.