nuclei-templates/http/cves/2016/CVE-2016-3978.yaml

id: CVE-2016-3978

info:
  name: Fortinet FortiOS  - Open Redirect/Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
  reference:
    - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
    - http://seclists.org/fulldisclosure/2016/Mar/68
    - http://www.securitytracker.com/id/1035332
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-3978
    cwe-id: CWE-79
    epss-score: 0.00217
    cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*
    epss-percentile: 0.59005
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortios
  tags: cve2016,redirect,fortinet,fortios,seclists,cve

http:
  - method: GET
    path:
      - '{{BaseURL}}/login?redir=http://www.interact.sh'

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
template name and ID update 2022-01-29 11:45:08 +00:00			`id: CVE-2016-3978`

			`info:`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`name: Fortinet FortiOS - Open Redirect/Cross-Site Scripting`
template name and ID update 2022-01-29 11:45:08 +00:00			`author: 0x_Akoko`
			`severity: medium`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."`
template name and ID update 2022-01-29 11:45:08 +00:00			`reference:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability`
Dashboard Content Enhancements (#5092) Dashboard Content Enhancements 2022-08-16 14:14:41 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2016-3978`
Auto Generated CVE annotations [Tue Aug 16 14:25:34 UTC 2022] :robot: 2022-08-16 14:25:34 +00:00			`- http://seclists.org/fulldisclosure/2016/Mar/68`
more updates 2023-07-15 16:29:17 +00:00			`- http://www.securitytracker.com/id/1035332`
Auto Generated CVE annotations [Mon Jan 31 18:38:32 UTC 2022] :robot: 2022-01-31 18:38:32 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.1`
Auto Generated CVE annotations [Mon Jan 31 18:38:32 UTC 2022] :robot: 2022-01-31 18:38:32 +00:00			`cve-id: CVE-2016-3978`
			`cwe-id: CWE-79`
more updates 2023-07-15 16:29:17 +00:00			`epss-score: 0.00217`
			`cpe: cpe:2.3:o:fortinet:fortios:5.0.0:::::::*`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.59005`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
more updates 2023-07-15 16:29:17 +00:00			`vendor: fortinet`
			`product: fortios`
			`tags: cve2016,redirect,fortinet,fortios,seclists,cve`
template name and ID update 2022-01-29 11:45:08 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
template name and ID update 2022-01-29 11:45:08 +00:00			`- method: GET`
			`path:`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`- '{{BaseURL}}/login?redir=http://www.interact.sh'`
template name and ID update 2022-01-29 11:45:08 +00:00
			`matchers:`
			`- type: regex`
			`part: header`
			`regex:`
Reduce false-positives in open-redirect regexes 2023-03-01 08:39:14 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@])interact\.sh\/?(\/\|[^.].)?$' # https://regex101.com/r/L403F0/1`