PT-2017-15672 · Fortinet · Fortimail

Published

2017-04-12

Updated

2017-04-18

CVE-2017-3125

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions FortiMail versions 5.0.0 through 5.2.9 FortiMail versions 5.3.0 through 5.3.8

Description The issue allows an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in to FortiMail, assuming the victim is social engineered into clicking a URL crafted by the attacker. This is due to an unauthenticated XSS vulnerability.

Recommendations For FortiMail versions 5.0.0 through 5.2.9, update to a version outside of this range to mitigate the risk. For FortiMail versions 5.3.0 through 5.3.8, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to potentially vulnerable URLs to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-3125

Affected Products

Fortimail

PT-2017-15672 · Fortinet · Fortimail

CVE-2017-3125

Weakness Enumeration

Related Identifiers

Affected Products

References · 4