CVE-2019-5586

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.2.0 through 5.6.10 FortiOS versions 6.0.0 through 6.0.4

Description A reflected Cross-Site-Scripting (XSS) issue in the SSL VPN web portal is related to the failure to sanitize input. This may allow an attacker to execute unauthorized malicious script code via the param parameter of the error process HTTP requests, enabling remote attackers to perform cross-site scripting attacks.

Recommendations For FortiOS versions 5.2.0 through 5.6.10, consider disabling the SSL VPN web portal until a patch is available. For FortiOS versions 6.0.0 through 6.0.4, restrict access to the error page HTTP request to minimize the risk of exploitation. As a temporary workaround, avoid using the param parameter in the affected HTTP requests until the issue is resolved.