CVE-2019-16151

Summary

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context. This happens when the FortiGate has web filtering and category override enabled/configured.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS6.4.0 <= 6.4.1affected
FortinetFortiOS6.2.0 <= 6.2.9affected

Weaknesses

  • CWE-79: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References