PT-2020-5515 · Fortinet · Fortios

Published

2020-02-18

Updated

2021-07-21

CVE-2019-6696

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.4.0 through 6.2.1

Description The issue is related to an improper input validation vulnerability in the admin webUI of FortiOS, which can be exploited by an attacker to perform a URL redirect attack. This can be achieved via a specifically crafted request to the admin initial password change webpage, potentially redirecting unsuspecting admin users to a malicious website if they click on the crafted URL.

Recommendations For FortiOS versions 5.4.0 through 6.2.1, consider restricting access to the admin initial password change webpage until a patch is available. As a temporary workaround, avoid using the admin webUI for password changes until the issue is resolved. Restrict access to the admin webUI to minimize the risk of exploitation.

Fix

Open Redirect

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601CWE-20

Related Identifiers

BDU:2021-01019

CVE-2019-6696

Affected Products

Fortios

PT-2020-5515 · Fortinet · Fortios

CVE-2019-6696

Weakness Enumeration

Related Identifiers

Affected Products

References · 7