CVE-2016-3978

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.0.x through 5.0.12 FortiOS versions 5.2.x through 5.2.2 FortiOS versions 5.4.x before 5.4.0

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the redirect parameter to "login". This is due to insufficient protection of the web page structure, which may allow an attacker to inject arbitrary JavaScript or HTML code.

Recommendations For FortiOS versions 5.0.x through 5.0.12, update to version 5.0.13 or later. For FortiOS versions 5.2.x through 5.2.2, update to version 5.2.3 or later. For FortiOS versions 5.4.x before 5.4.0, update to version 5.4.0 or later. As a temporary workaround, consider restricting access to the "login" endpoint to minimize the risk of exploitation. Avoid using the redirect parameter in the affected API endpoint until the issue is resolved.