CVE-2018-1355 in FortiManager
Summary
by MITRE
An open redirect vulnerability in Fortinet FortiManager 6.0.0 and below versions, FortiAnalyzer 6.0.0 and below versions allows attacker to inject script code during converting a HTML table to a PDF document under the FortiView feature. An attacker may be able to social engineer an authenticated user into generating a PDF file containing injected malicious URLs.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2023
The vulnerability identified as CVE-2018-1355 represents a critical open redirect flaw within Fortinet's FortiManager and FortiAnalyzer platforms, specifically affecting versions 6.0.0 and earlier. This security weakness resides within the FortiView feature's HTML to PDF conversion functionality, creating a pathway for malicious actors to inject script code during document generation processes. The vulnerability stems from insufficient input validation and sanitization mechanisms that fail to properly filter user-supplied data when processing HTML table content destined for PDF rendering.
The technical exploitation of this vulnerability occurs through the manipulation of HTML table data within the FortiView interface, where attackers can inject malicious URLs that persist within the generated PDF documents. This open redirect mechanism allows threat actors to craft specially formatted HTML content that, when converted to PDF, contains embedded malicious links or scripts. The vulnerability specifically targets the conversion process between HTML and PDF formats, leveraging the trust relationship between authenticated users and the FortiView feature to execute social engineering campaigns. When authenticated users generate PDF reports containing these manipulated tables, the injected malicious URLs become part of the final document, creating a vector for further attacks.
The operational impact of this vulnerability extends beyond simple cross-site scripting concerns, as it enables sophisticated social engineering campaigns that can compromise user systems. Attackers can craft PDF documents that appear legitimate to end users, containing links that redirect to malicious websites or execute harmful scripts upon user interaction. This vulnerability particularly affects organizations relying on FortiManager and FortiAnalyzer for network monitoring and reporting, as the compromised PDF generation process can serve as an initial access vector for more extensive attacks. The authenticated nature of the vulnerability means that attackers require valid user credentials, but once obtained, the attack can be executed with minimal additional effort, making it particularly dangerous in environments where privileged accounts are compromised.
Organizations should implement immediate mitigations including upgrading to Fortinet versions that address this vulnerability, typically versions 6.0.1 and later which contain proper input validation and sanitization measures. Network segmentation and access controls should be strengthened to limit exposure of FortiManager and FortiAnalyzer systems to untrusted networks. Additionally, security awareness training should emphasize the importance of verifying PDF document sources and avoiding interaction with suspicious content. The vulnerability aligns with CWE-601 Open Redirect and ATT&CK technique T1203 Exploitation for Client Execution, demonstrating how seemingly benign document generation features can be weaponized for broader attack chains. Regular security assessments of Fortinet products should include verification of input validation mechanisms, particularly in features that process user-generated content for export or reporting purposes.