Fortinet Fortiweb CVE-2017-3129 Cross Site Scripting Vulnerability

Fortinet Fortiweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Fortinet Fortiweb versions prior to 5.7.1 are vulnerable.

Information

Bugtraq ID: 98382
Class: Input Validation Error
CVE: CVE-2017-3129

Remote: Yes
Local: No
Published: Apr 19 2017 12:00AM
Updated: May 10 2017 08:08PM
Credit: The vendor reported this issue.
Vulnerable: Fortinet FortiWeb 5.7.1
Fortinet FortiWeb 5.5.3
Fortinet FortiWeb 5.5.2
Fortinet FortiWeb 5.5.1
Fortinet FortiWeb 5.5
Fortinet FortiWeb 5.3.5
Fortinet FortiWeb 5.3.4
Fortinet FortiWeb 5.3.3
Fortinet FortiWeb 5.3.2
Fortinet FortiWeb 5.3.1
Fortinet FortiWeb 5.2.1
Fortinet FortiWeb 5.1
Fortinet FortiWeb 5.0.4
Fortinet FortiWeb 5.0.3
Fortinet FortiWeb 5.0.2
Fortinet FortiWeb 5.0.1
Fortinet FortiWeb 5.2.0
Fortinet FortiWeb 5.1.4
Fortinet FortiWeb 5.1.3
Fortinet FortiWeb 5.1.2
Fortinet FortiWeb 5.1.1
Fortinet FortiWeb 5.0

Not Vulnerable: Fortinet FortiWeb 5.8

Exploit

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

References:

• Fortinet Homepage (Fortinet)
  
• XSS Vulnerability in FortiWeb Site Publisher (Fortiguard)
  

Source: www.securityfocus.com