Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-110964
HistoryNov 25, 2019 - 12:00 a.m.

Fortinet FortiGate CVE-2019-6697 HTML Injection Vulnerability

2019-11-2500:00:00
Symantec Security Response
www.symantec.com
39
JSON

Description

Fortinet FortiGate is prone to an HTML injection vulnerability because it fails to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. The following versions are affected: FortiGate version 6.2.1 and prior. FortiGate version 6.0.6 and prior.

Technologies Affected

  • Fortinet FortiGate
  • Fortinet Fortios 6.0.0
  • Fortinet Fortios 6.0.1
  • Fortinet Fortios 6.0.2
  • Fortinet Fortios 6.0.3
  • Fortinet Fortios 6.0.4
  • Fortinet Fortios 6.0.5
  • Fortinet Fortios 6.0.6
  • Fortinet Fortios 6.2.0
  • Fortinet Fortios 6.2.1

Recommendations

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.

Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.

Set web browser security to disable the execution of JavaScript.
Since successful exploit of this issue allows malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.

Updates are available. Please see the references or vendor advisory for more information.

Related

fortinet 1
cve 1
nessus 1
fortinet
fortinet
Protect
2019-11-25 00:00:00
cve
cve
CVE-2019-6697
2022-04-28 11:43:04
nessus
nessus
Fortinet FortiOS < 6.0.7 / 6.2.x < 6.2.2 Multiple Vulnerabilities (FG-IR-19-184, FG-IR-19-236)
2019-11-26 00:00:00
JSON
Related for SMNTC-110964
fortinet1cve1nessus1