CVE-2019-5588

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.0.0 through 6.0.4

Description The issue is related to a lack of input sanitization in the SSL VPN web portal of the FortiOS operating system. This can be exploited by a remote attacker to perform a reflected Cross-Site Scripting (XSS) attack. The attack can be executed via the err parameter of the error process HTTP requests, allowing the attacker to run unauthorized malicious script code. The vulnerability may also be exploitable through multiple parameters of the error page HTTP request.

Recommendations For FortiOS versions 6.0.0 through 6.0.4, consider disabling the SSL VPN web portal until a patch is available to prevent exploitation. Restrict access to the error page HTTP request to minimize the risk of XSS attacks via the err parameter and other vulnerable parameters. Avoid using the err parameter in the affected HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.