CVE-2017-14186

Name of the Vulnerable Software and Affected Versions: FortiOS versions 5.4 and below FortiOS versions 5.6.0 through 5.6.7 FortiOS versions 6.0.0 through 6.0.4

Description: The issue is caused by insufficient protection of the web page structure in the FortiOS web portal. It allows a remote attacker to inject arbitrary JavaScript or HTML code using a specially crafted redir parameter value. This can lead to a Cross-site Scripting (XSS) attack or a URL Redirection attack by injecting an external URL via the affected parameter.

Recommendations: For FortiOS versions 5.4 and below, update to a version above 5.4 to mitigate the risk. For FortiOS versions 5.6.0 through 5.6.7, update to a version above 5.6.7 to mitigate the risk. For FortiOS versions 6.0.0 through 6.0.4, update to a version above 6.0.4 to mitigate the risk. As a temporary workaround, consider restricting access to the redir parameter in the SSL VPN web portal to minimize the risk of exploitation.