FortiOS XSS vulnerabilities via User Groups & Config Revision Comments
The vulnerable input fields are
- the "Comments" input while saving Configuration Revisions (CVE-2017-7734)
- the "Groups" input while creating or editing User Groups (CVE-2017-7735)
Execute unauthorized code or commands
- CVE-2017-7734: FortiOS versions 5.4.0 to 5.4.4
- CVE-2017-7735: FortiOS versions 5.2.0 to 5.4.4
- CVE-2017-7734: Upgrade to FortiOS 5.4.5 or 5.6.0
- CVE-2017-7735: Upgrade to FortiOS 5.2.12, 5.4.5 or 5.6.0
- CVE-2017-7734 : Under System > Admin Profiles, edit the concerned profile(s) and set Access Control for "Maintenance" to "Read-Only"
- CVE-2017-7735 : Under System > Admin Profiles, edit the concerned profile(s) and set Access Control for "User & Device" to "Read-Only"
- Trusthosts can also be configured if the source IP addresses of trusted administrators are known.
Fortinet is pleased to thank Walmart's ISD Enterprise Security Testing (EST) Team for reporting this vulnerability under responsible disclosure.