Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
BID:51708
CVE-2012-941 |Info
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 51708 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 27 2012 12:00AM |
| Updated: | Mar 26 2012 07:40AM |
| Credit: | Benjamin Kunz Mejri (Rem0ve) |
| Vulnerable: |
Fortinet FortiGate 800 Fortinet FortiGate 620B Fortinet FortiGate 5000 Fortinet FortiGate 3950 Fortinet FortiGate 3810A Fortinet FortiGate 3600A Fortinet FortiGate 311B Fortinet FortiGate 310B Fortinet FortiGate 3016B Fortinet FortiGate 300A Fortinet FortiGate 224B Fortinet FortiGate 200B Fortinet FortiGate 1240B |
| Not Vulnerable: | |
Discussion
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
Fortigate UTM WAF Appliances is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Fortigate UTM WAF Appliances is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Exploit / POC
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues. An attacker can exploit the HTML-injection issues through a browser.
An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues. An attacker can exploit the HTML-injection issues through a browser.
Solution / Fix
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Fortigate UTM WAF Appliances Cross Site Scripting and HTML Injection Vulnerabilities
References:
References:
- Fortigate Homepage (Fortinet)
- Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities (vulnerability-lab)
- Potential Information Disclosure Vulnerability in FortiGate (Fortinet)