(29/11/2017) A Cross-site Scripting (XSS) vulnerability in FortiOS SSL-VPN portal may allow an authenticated user to inject arbitrary web code or HTML in the context of the victim's browser via the login redir parameter.
An URL Redirection Attack may also enable an authenticated user to redirect the victim to an arbitrary URL, via the redir parameter. Follow the link to the official report. Risk classification from BSI: "high", for more information on the subject CVE-2017-14186-ID
Affected Versions of the FortiOS are:
FortiOS 5.2.0 up to 5.2.12
FortiOS 5.4.0 up to 5.4.6
FortiOS 5.6.0 up to 5.6.2
FortiOS 5.2 branch: Upgrade to 5.2.12 special build or upcoming 5.2.13, release on December 14th.
FortiOS 5.4 branch: Upgrade to 5.4.6 special build or upcoming 5.4.7, release on December 7th.
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3, release on November 27th