Vigil@nce: FortiGate, several Cross Site Scripting
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of FortiGate
appliances, in order to execute script code in privileged contexts.
– Impacted products: FortiGate, FortiGate Virtual Appliance
– Severity: 2/4
– Creation date: 13/09/2012
DESCRIPTION OF THE VULNERABILITY
FortiGate appliances have a web interface.
However, the "mkey", "context", "title" and "msg" parameters are
not filtered before being injected in generated HTML pages.
An attacker can therefore use several Cross Site Scripting of
FortiGate appliances, in order to execute script code in
privileged contexts.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FortiGate-several-Cross-Site-Scripting-11940