Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products

Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions.

Tracked as CVE-2023-29183 (CVSS score of 7.3), the security defect is described as an “improper neutralization of input during web page generation”.

Successful exploitation of the bug, Fortinet explains in an advisory, may allow an authenticated attacker to use crafted guest management settings to trigger the execution of malicious JavaScript code.

Identified by Fortinet’s CSE team, the flaw impacts FortiProxy versions 7.0.x and 7.2.x, and FortiOS versions 6.2.x, 6.4.x, 7.0.x, and 7.2.x.

Fortinet has released FortiProxy versions 7.0.11 and 7.2.5, and FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0 to address this issue.

The cybersecurity company also released patches for a high-severity issue in its web application firewall and API protection solution FortiWeb.

Tracked as CVE-2023-34984 (CVSS score of 7.1), the issue could allow an attacker to bypass existing XSS and cross-site request forgery (CSRF) protections, the company explains.

Advertisement. Scroll to continue reading.

According to Fortinet, the bug impacts FortiWeb versions 6.3, 6.4, 7.0.x, and 7.2.x, and was addressed with the release of FortiWeb versions 7.0.7 and 7.2.2.

Fortinet users are advised to update their firewalls and switches as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in attacks, flaws in Fortinet appliances have been targeted in the wild to gain access to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploitation of these bugs could lead to full system compromise and advises administrators to review Fortinet’s advisories and apply the necessary updates.

“A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution

Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks

Related: Fortinet Patches Critical Vulnerability in Data Analytics Solution