CVE-2017-3132

Name of the Vulnerable Software and Affected Versions: FortiOS versions 5.6.0 and earlier

Description: A Cross-Site Scripting issue allows attackers to execute unauthorized code or commands via the action input during the activation of a FortiToken. The vulnerability is caused by insufficient protection of the web page structure, which can be exploited by a remote attacker to inject arbitrary JavaScript or HTML code during FortiToken activation using the action parameter.

Recommendations: For FortiOS versions 5.6.0 and earlier, consider disabling the FortiToken activation feature until a patch is available to prevent exploitation. Restrict access to the vulnerable web interface to minimize the risk of remote code injection. Avoid using the action parameter in the affected web interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.