CVE-2017-14190

Name of the Vulnerable Software and Affected Versions: Fortinet FortiOS versions 5.6.0 through 5.6.2 Fortinet FortiOS versions 5.4.0 through 5.4.7 Fortinet FortiOS version 5.2 and earlier

Description: A Cross-site Scripting issue allows an attacker to inject arbitrary web script or HTML via a maliciously crafted Host header in user HTTP requests. This can be exploited by an attacker in a Man-in-the-middle position or by poisoning a web cache used by the potential victim, leading to a persistent XSS attack. The vulnerability is caused by insufficient protection of the web page structure, enabling a remote attacker to inject arbitrary JavaScript or HTML code.

Recommendations: For Fortinet FortiOS versions 5.6.0 through 5.6.2, consider disabling the web proxy disclaimer page until a patch is available. For Fortinet FortiOS versions 5.4.0 through 5.4.7, restrict access to the web proxy to minimize the risk of exploitation. For Fortinet FortiOS version 5.2 and earlier, avoid using the web proxy functionality until the issue is resolved. As a temporary workaround, consider restricting the use of the Host header in HTTP requests to prevent malicious input.