CVE-2017-7733

Name of the Vulnerable Software and Affected Versions: FortiOS versions 5.4.0 through 5.4.5 FortiOS version 5.6.0

Description: A Cross-Site-Scripting (XSS) vulnerability exists in the webUI "Login Disclaimer" redir parameter, allowing a remote unauthenticated attacker to execute arbitrary javascript code. The issue is caused by insufficient protection of the web page structure, potentially enabling an attacker to inject arbitrary JavaScript or HTML code using a specially crafted value of the redir parameter. This vulnerability can be exploited by sending a maliciously crafted URL to a victim with an open session on the web GUI, causing the execution of arbitrary javascript code in the security context of the victim's browser.

Recommendations: For FortiOS versions 5.4.0 through 5.4.5, consider disabling the "Login Disclaimer" feature until a patch is available. For FortiOS version 5.6.0, restrict access to the web GUI to minimize the risk of exploitation. As a temporary workaround, avoid using the redir parameter in the affected API endpoint until the issue is resolved.