Remote Code Execution and Redirection Vulnerability in FortiOS by Fortinet
CVE-2019-16151

4.7MEDIUM

Key Information:

Vendor
Fortinet
Status
FortiOS
Vendor
CVE Published:
21 March 2025

Summary

An improper neutralization of input during web page generation in FortiOS versions 6.4.1 and below, as well as 6.2.9 and below, could enable a remote, unauthenticated attacker to manipulate the 'Host' header. This condition may lead to user redirection to malicious websites or unauthorized JavaScript execution within the browser context of affected users when web filtering and category override features are enabled on FortiGate devices.

Affected Version(s)

FortiOS 6.4.0 <= 6.4.1

FortiOS 6.2.0 <= 6.2.9

References

https://fortiguard.com/advisory/FG-IR-19-301

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.