A high-severity cross-site scripting (XSS) vulnerability tracked as (CVE-2023-29183) affecting several FortiOS and FortiProxy versions has been patched by Fortinet.
Additionally, the cybersecurity firm provided updates for a high-severity flaw in FortiWeb, tracked as (CVE-2023-34984).
“A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA warns.
CVE-2023-29183 – FortiOS & FortiProxy
The vulnerability was tracked as CVE-2023-29183 (CVSS score of 7.3) in FortiOS and FortiProxy GUI. An inappropriate neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability exists.
“This may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting,” Fortinet said in its advisory.
Affected Products
- FortiProxy version 7.2.0 through 7.2.4
- FortiProxy version 7.0.0 through 7.0.10
- FortiOS version 7.2.0 through 7.2.4
- FortiOS version 7.0.0 through 7.0.11
- FortiOS version 6.4.0 through 6.4.12
- FortiOS version 6.2.0 through 6.2.14
Patch Available
- FortiProxy version 7.2.5 or above
- FortiProxy version 7.0.11 or above
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.5 or above
- FortiOS version 7.0.12 or above
- FortiOS version 6.4.13 or above
- FortiOS version 6.2.15 or above
CVE-2023-34984 – FortiWeb
The vulnerability was tracked as CVE-2023-34984 (CVSS score of 7.1) in FortiWeb. A protection mechanism failure vulnerability may allow an attacker to bypass XSS and CSRF protection.
Affected Products
- FortiWeb version 7.2.0 through 7.2.1
- FortiWeb version 7.0.0 through 7.0.6
- FortiWeb 6.4, all versions
- FortiWeb 6.3, all versions
Patch Available
- FortiWeb version 7.2.2 or above
- FortiWeb version 7.0.7 or above
Hence, users of Fortinet are urged to upgrade their switches and firewalls as soon as possible.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.