Lucene search

FortinetCVE-2017-14186

HistoryNov 29, 2017 - 7:29 p.m.

CVE-2017-14186

2017-11-2919:29:00

CWE-79

fortinet

web.nvd.nist.gov

xss

vulnerability

fortinet fortios

ssl vpn

remote code injection

web portal

nvd

cve-2017-14186

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.029

Percentile

90.9%

JSON

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim’s browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.

Affected configurations

Nvd

Node

fortinetfortiosRange≤5.0

fortinetfortiosRange5.2.0–5.2.12

fortinetfortiosRange5.4.0–5.4.6

fortinetfortiosRange5.6.0–5.6.2

VendorProductVersionCPE
fortinetfortios*cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	fortios	*	cpe:2.3:o:fortinet:fortios::::::::

CNA Affected

[
  {
    "product": "FortiOS",
    "vendor": "Fortinet, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "5.6.0 to 5.6.2"
      },
      {
        "status": "affected",
        "version": "5.4.0 to 5.4.6"
      },
      {
        "status": "affected",
        "version": "5.2.0 to 5.2.12"
      },
      {
        "status": "affected",
        "version": "5.0 and below"
      }
    ]
  }
]