Fortinet Issues Fixes for High-Risk Vulnerabilities in Multiple Products
September 18, 2023
Fortinet, a major cybersecurity company, has launched patches to fix a severe cross-site scripting (XSS) vulnerability that affects its enterprise-grade firewalls and switches. The vulnerability, identified as CVE-2023-29183 with a CVSS score of 7.3, impacts multiple versions of FortiOS and FortiProxy. The flaw could allow an authenticated attacker to exploit the guest management settings and execute malicious JavaScript code.
This vulnerability was discovered by Fortinet's CSE team and affects FortiProxy versions 7.0.x and 7.2.x, and FortiOS versions 6.2.x, 6.4.x, 7.0.x, and 7.2.x. To address this issue, Fortinet has released FortiProxy versions 7.0.11 and 7.2.5, and FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0.
Alongside this, Fortinet also issued patches for a serious vulnerability in its web application firewall and API protection solution, FortiWeb. This flaw, identified as CVE-2023-34984 with a CVSS score of 7.1, could enable an attacker to bypass existing XSS and cross-site request forgery (CSRF) protections. The bug impacts FortiWeb versions 6.3, 6.4, 7.0.x, and 7.2.x. To address this, Fortinet released FortiWeb versions 7.0.7 and 7.2.2.
Fortinet is urging its users to update their firewalls and switches as soon as possible to mitigate these vulnerabilities. While the company has not reported any of these vulnerabilities being actively exploited, it is known that flaws in Fortinet appliances have previously been used to gain access to enterprise networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that exploitation of these bugs could result in full system compromise. CISA advises administrators to review Fortinet’s advisories and apply the necessary updates. As CISA notes, “A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system.”
Latest News
- Iranian Nation-State Actors Execute Password Spray Attacks on Global Scale
- Proof-of-Concept Exploit Published for Windows 11 'ThemeBleed' RCE Bug
- MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
- Mozilla Fixes Critical Zero-Day Vulnerability in Firefox and Thunderbird
- Microsoft's September 2023 Patch Tuesday: 59 Flaws and 2 Zero-Days Addressed
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.