virus logo PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

  Affected Product
 Version
 Date
 Severity
 Component

Total: 119

PSIRT
Description
Affected Products
Updated Date
Component
Severity
FG-IR-23-328 FortiOS & FortiProxy - Out-of-bounds Write in captive portal
CVE-2023-42789 CVE-2023-42789
An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS &...
FortiOS 7.4.1, 7.4.0, 7.2.5, 7.2.4, 7.2.3 ... FortiProxy 7.4.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3 ...
Mar 12, 2024
Mar 12, 2024

Critical

Critical Severity
FG-IR-24-013 FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks
CVE-2024-23112
An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS and FortiProxy...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Mar 12, 2024
Mar 12, 2024
SSL-VPN
SSL-VPN

High

High Severity
FG-IR-23-424 FortiOS - Improper authentication following read-only user login
CVE-2023-46717
An improper authentication vulnerability [CWE-287] in FortiOS when configured with FortiAuthenticator in...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ...
Mar 12, 2024
Mar 12, 2024

Medium

Medium Severity
FG-IR-23-397 FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability
CVE-2023-44487
The Fortinet Product Security team has evaluated the impact of the vulnerablity HTTP/2 Rapid Reset Attack,...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
Feb 08, 2024
Feb 08, 2024

Medium

Medium Severity
FG-IR-24-029 FortiOS - Format String Bug in fgfmd
CVE-2024-23113
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a...
FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5 ...
Feb 08, 2024
Feb 08, 2024

Critical

Critical Severity
FG-IR-23-301 FortiOS - Fortilink lack of certificate validation
CVE-2023-47537
An improper certificate validation vulnerability [CWE-295] in FortiOS may allow an unauthenticated...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ...
Feb 08, 2024
Feb 08, 2024

Medium

Medium Severity
FG-IR-24-015 FortiOS/FortiProxy - Out-of-bound Write in sslvpnd
CVE-2024-21762
A out-of-bounds write vulnerability [CWE-787] in FortiOS and FortiProxy may allow a remote unauthenticated...
FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Feb 08, 2024
Feb 08, 2024

Critical

Critical Severity
FG-IR-23-315 FortiOS & FortiProxy - Improper authorization for HA requests
CVE-2023-44250
An improper privilege management vulnerability [CWE-269] in a FortiOS & FortiProxy HA cluster may allow an...
FortiOS 7.4.1, 7.4.0, 7.2.5 FortiProxy 7.4.1, 7.4.0
Jan 09, 2024
Jan 09, 2024

High

High Severity
FG-IR-23-196 Double free in cache management
CVE-2023-41678
A double free vulnerability [CWE-415] in FortiOS and FortiPAM HTTPSd daemon may allow an authenticated...
FortiOS 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1 ... FortiPAM 1.1.1, 1.1.0, 1.0.3, 1.0.2, 1.0.1 ...
Dec 12, 2023
Dec 12, 2023

High

High Severity
FG-IR-23-432 FortiOS & FortiProxy - Firewall deny policy bypass
CVE-2023-47536
An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy may allow a remote...
FortiOS 7.2.0, 7.0.14, 7.0.13, 7.0.12, 7.0.11 ... FortiProxy 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9 ...
Dec 12, 2023
Dec 12, 2023

Low

Low Severity
FG-IR-23-138 FortiOS & FortiProxy - Format String Bug in HTTPSd
CVE-2023-36639
A format string vulnerability [CWE-134] in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow...
FortiOS 7.4.0, 7.2.4, 7.2.3, 7.2.2, 7.2.1 ... FortiPAM 1.1.0, 1.0.3, 1.0.2, 1.0.1, 1.0.0 ... FortiProxy 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ...
Dec 12, 2023
Dec 12, 2023

High

High Severity
FG-IR-23-151 FortiOS & FortiProxy - DOS in headers management
CVE-2023-36641
A null pointer dereference [CWE-476] in FortiOS and FortiProxy SSL VPN may allow an authenticated attacker...
FortiOS 7.4.0, 7.2.5, 7.2.4, 7.2.3, 7.2.2 ... FortiProxy 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ...
Nov 14, 2023
Nov 14, 2023

Medium

Medium Severity
FG-IR-22-396 FortiOS VM - Bypass of root file system integrity checks at boot time on VM
CVE-2023-28002
An improper validation of integrity check value vulnerability [CWE-354] in FortiOS VMs may allow a local...
FortiOS 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.12 ... FortiProxy 7.4.1, 7.4.0, 7.2.8, 7.2.7, 7.2.6 ...
Nov 14, 2023
Nov 14, 2023

Medium

Medium Severity
FG-IR-23-385 curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities
CVE-2023-38545 CVE-2023-38545
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)A heap-based buffer overflow flaw...
FortiExtender 7.4.1, 7.4.0, 7.2.3, 7.2.2, 7.2.1 ... FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
Nov 14, 2023
Nov 14, 2023

Medium

Medium Severity
FG-IR-23-184 FortiOS & FortiProxy - Webproxy process denial of service
CVE-2023-41675
A use after free vulnerability [CWE-416] in FortiOS & FortiProxy may allow an unauthenticated remote...
FortiOS 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ... FortiProxy 7.2.2, 7.2.1, 7.2.0, 7.0.8, 7.0.7 ...
Oct 10, 2023
Oct 10, 2023

Medium

Medium Severity