FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages

ID FG-IR-17-104
Type fortinet
Reporter FortiGuard Labs
Modified 2017-07-28T00:00:00


Three XSS vulnerabilities one via the the filter input in "Applications" under FortiView (CVE-2017-3131)the second via the action input during the activation of a FortiToken (CVE-2017-3132)the third via the Replacement Message HTML for SSL-VPN (CVE-2017-3133)can be exploited by logged-in users only to load and run a remote (malicious) Javascript in a logged in browser.