In this advisory, we provide an urgent notification to all users of FortiOS, FortiProxy and FortiWeb. Fortinet has released security updates to address vulnerabilities in the aforementioned products this month, details can be found below.
FortiOS & FortiProxy Cross Site Scripting Vulnerability
A (‘Cross-site Scripting’) vulnerability (CVE-2023-29183) in the FortiOS and FortiProxy GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.
More information of Fortinet’s official statement can be found on this link.
https://www.fortiguard.com/psirt/FG-IR-23-106
Impacted Version(s)
If you have FortiGate devices with the following FortiOS versions, you could be at risk.
FortiProxy version 7.2.0 through 7.2.4
FortiProxy version 7.0.0 through 7.0.10
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.14
Mitigation/ Remediation Strategies
We would recommend that all partners running an impacted version, complete their upgrade activities urgently.
Security Patches are available from Fortinet and should be downloaded and applied as a priority.
As per the points above, impacted versions:
- Please upgrade to FortiProxy version 7.2.5 or above
- Please upgrade to FortiProxy version 7.0.11 or above
- Please upgrade to FortiOS version 7.4.0 or above
- Please upgrade to FortiOS version 7.2.5 or above
- Please upgrade to FortiOS version 7.0.12 or above
- Please upgrade to FortiOS version 6.4.13 or above
- Please upgrade to FortiOS version 6.2.15 or above
Further reading
Further information can be found on the following links: https://www.fortiguard.com/psirt/FG-IR-23-106
FortiWeb – Insufficient protections against XSS and CSRF
A protection mechanism failure vulnerability in FortiWeb may allow an attacker to bypass XSS and CSRF protections (CVE-2023-34984).
Impacted Version(s)
If you have FortiWeb solutions with the following versions, you could be at risk.
- FortiWeb version 7.2.0 through 7.2.1
- FortiWeb version 7.0.0 through 7.0.6
- FortiWeb 6.4 all versions
- FortiWeb 6.3 all versions
Mitigation/ Remediation Strategies
We would recommend that all partners running an impacted version, complete their upgrade activities as soon as practical.
Security Patches are available from Fortinet and should be downloaded and applied as a priority.
As per the points above, impacted versions:
- Please upgrade to FortiWeb version 7.2.2 or above (impacted version 7.2.x)
- Please upgrade to FortiWeb version 7.0.7 or above (all other impacted versions).
Further reading
Further information can be found on the following links:
- More information of Fortinet’s official statement can be found on this link.
https://www.fortiguard.com/psirt/FG-IR-23-068.
