nuclei-templates/http/cves/2016/CVE-2016-3978.yaml

id: CVE-2016-3978

info:
  name: Fortinet FortiOS  - Open Redirect/Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.
  remediation: |
    Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.
  reference:
    - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
    - http://seclists.org/fulldisclosure/2016/Mar/68
    - http://www.securitytracker.com/id/1035332
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-3978
    cwe-id: CWE-79
    epss-score: 0.00217
    epss-percentile: 0.59667
    cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortios
  tags: cve2016,cve,redirect,fortinet,fortios,seclists

http:
  - method: GET
    path:
      - '{{BaseURL}}/login?redir=http://www.interact.sh'

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950
template name and ID update 2022-01-29 11:45:08 +00:00			`id: CVE-2016-3978`

			`info:`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`name: Fortinet FortiOS - Open Redirect/Cross-Site Scripting`
template name and ID update 2022-01-29 11:45:08 +00:00			`author: 0x_Akoko`
			`severity: medium`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.`
updated other CVEs 2023-09-06 13:22:34 +00:00			`remediation: \|`
			`Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.`
template name and ID update 2022-01-29 11:45:08 +00:00			`reference:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2016-3978`
Auto Generated CVE annotations [Tue Aug 16 14:25:34 UTC 2022] :robot: 2022-08-16 14:25:34 +00:00			`- http://seclists.org/fulldisclosure/2016/Mar/68`
more updates 2023-07-15 16:29:17 +00:00			`- http://www.securitytracker.com/id/1035332`
Auto Generated CVE annotations [Mon Jan 31 18:38:32 UTC 2022] :robot: 2022-01-31 18:38:32 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.1`
Auto Generated CVE annotations [Mon Jan 31 18:38:32 UTC 2022] :robot: 2022-01-31 18:38:32 +00:00			`cve-id: CVE-2016-3978`
			`cwe-id: CWE-79`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`epss-score: 0.00217`
			`epss-percentile: 0.59667`
updated other CVEs 2023-09-06 13:22:34 +00:00			`cpe: cpe:2.3:o:fortinet:fortios:5.0.0:::::::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
more updates 2023-07-15 16:29:17 +00:00			`vendor: fortinet`
			`product: fortios`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2016,cve,redirect,fortinet,fortios,seclists`
template name and ID update 2022-01-29 11:45:08 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
template name and ID update 2022-01-29 11:45:08 +00:00			`- method: GET`
			`path:`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`- '{{BaseURL}}/login?redir=http://www.interact.sh'`
template name and ID update 2022-01-29 11:45:08 +00:00
			`matchers:`
			`- type: regex`
			`part: header`
			`regex:`
Reduce false-positives in open-redirect regexes 2023-03-01 08:39:14 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@])interact\.sh\/?(\/\|[^.].)?$' # https://regex101.com/r/L403F0/1`
Auto Template Signing [Fri Jan 26 08:31:11 UTC 2024] :robot: 2024-01-26 08:31:11 +00:00			`# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950`