Fortinet Products patch two high severity vulnerabilities
Learn More
Fortinet recently addressed a significant cross-site scripting (XSS) vulnerability, tracked as CVE-2023-29183 (CVSS score 7.3), affecting various versions of FortiOS and FortiProxy. This security flaw involves the improper handling of input during web page generation. If successfully exploited, an authenticated attacker could utilize manipulated guest management settings to execute malicious JavaScript code. Fortinet's CSE team identified this vulnerability.
The impacted versions include
- FortiProxy 7.0.x, 7.2.x,
- FortiOS 6.2.x, 6.4.x, 7.0.x, and 7.2.x.
Fortinet has released patches,
- FortiProxy versions 7.0.11 and 7.2.5,
- FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0
Fortinet also addressed a high-severity vulnerability in FortiWeb, a web application firewall, and API protection solution. Tracked as CVE-2023-34984 (CVSS score 7.1), this flaw could potentially enable an attacker to bypass existing protections against XSS and cross-site request forgery (CSRF).
The impacted versions incliude FortiWeb 6.3, 6.4, 7.0.x, and 7.2.x.
Fortinet responded by releasing FortiWeb versions 7.0.7 and 7.2.2 to rectify this issue.
Fortinet and CISA strongly advise its users to promptly update their firewalls and switches to the latest patched versions. Although there is no current evidence of these vulnerabilities being actively exploited, it is vital to take preventive action as historical instances have shown that flaws in Fortinet appliances have been targeted to gain unauthorized access to enterprise networks.
