Cross-site Scripting Vulnerability in Fortinet FortiManager and FortiAnalyzer
CVE-2017-17541

6.1MEDIUM

Key Information:

Vendor
Fortinet
Status
Fortinet Fortimanager, Fortianalyzer
Vendor
CVE Published:
16 July 2018

Summary

A Cross-site Scripting (XSS) vulnerability exists in Fortinet's FortiManager and FortiAnalyzer, specifically in versions 6.0.0 and 5.6.4 and earlier. This vulnerability allows attackers to inject malicious JavaScript code and HTML tags through the CN value of CA and CRL certificates while using the import feature for these certificates. This attack vector could be leveraged to execute arbitrary scripts in the context of a user’s browser session, potentially leading to data theft or unauthorized actions within the affected applications.

Affected Version(s)

Fortinet FortiManager, FortiAnalyzer FortiManager 6.0.0, 5.6.4 and below versions; FortiAnalyzer 6.0.0, 5.6.4 and below versions

References

https://fortiguard.com/advisory/FG-IR-17-305
x_refsource_CONFIRM
http://www.securitytracker.com/id/1041246
vdb-entryx_refsource_SECTRACK
http://www.securitytracker.com/id/1041247
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.