virus logo PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

  Affected Product
 Version
 Date
 Severity
 Component

Total: 127

PSIRT
Description
Affected Products
Updated Date
Component
Severity
FG-IR-23-415 Buffer overflow in administrative interface
CVE-2023-46714
A stack-based buffer overflow [CWE-121] vulnerability in FortiOS administrative interface may allow a...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ...
May 14, 2024
May 14, 2024
GUI
GUI

Medium

Medium Severity
FG-IR-23-195 Double free with double usage of json_object_put
CVE-2023-44247
A double free vulnerability [CWE-415] in FortiOS may allow a privileged attacker to execute unauthorized...
FortiOS 6.4.15, 6.4.14, 6.4.13, 6.4.12, 6.4.11 ...
May 14, 2024
May 14, 2024

Medium

Medium Severity
FG-IR-23-137 Format String Bug in cli command
CVE-2023-36640 CVE-2023-36640
Multiple format string bug vulnerabilitues [CWE-134] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager...
FortiOS 7.4.0, 7.2.5, 7.2.4, 7.2.3, 7.2.2 ... FortiPAM 1.1.0, 1.0.3, 1.0.2, 1.0.1, 1.0.0 ... FortiProxy 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1 ... FortiSwitchManager 7.2.2, 7.2.1, 7.2.0, 7.0.2, 7.0.1 ...
May 14, 2024
May 14, 2024
CLI
CLI

Medium

Medium Severity
FG-IR-24-017 Node.js crash over administrative interface
CVE-2024-26007
An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS version 7.4.1...
FortiOS 7.4.1
May 14, 2024
May 14, 2024
GUI
GUI

Medium

Medium Severity
FG-IR-23-225 SSL-VPN user IP spoofing
CVE-2023-45586
An insufficient verification of data authenticity vulnerability [CWE-345] in FortiOS & FortiProxy SSL-VPN...
FortiOS 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
May 14, 2024
May 14, 2024
SSL-VPN
SSL-VPN

Medium

Medium Severity
FG-IR-23-493 Administrator cookie leakage
CVE-2023-41677
An insufficiently protected credentials vulnerability (CWE-522) in FortiOS and FortiProxy may allow an...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
Apr 09, 2024
Apr 09, 2024

High

High Severity
FG-IR-23-413 FortiOS - Format String in CLI command
CVE-2023-48784
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS command line interface may...
FortiOS 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
Apr 09, 2024
Apr 09, 2024
CLI
CLI

Medium

Medium Severity
FG-IR-23-224 Web server ETag exposure
CVE-2024-23662
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow...
FortiOS 7.4.1, 7.4.0, 7.2.5, 7.2.4, 7.2.3 ...
Apr 09, 2024
Apr 09, 2024

Medium

Medium Severity
FG-IR-24-013 Authorization bypass in SSLVPN bookmarks
CVE-2024-23112
An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS and FortiProxy...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Mar 12, 2024
Mar 12, 2024
SSL-VPN
SSL-VPN

High

High Severity
FG-IR-23-424 Improper authentication following read-only user login
CVE-2023-46717
An improper authentication vulnerability [CWE-287] in FortiOS when configured with FortiAuthenticator in...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ...
Mar 12, 2024
Mar 12, 2024

Medium

Medium Severity
FG-IR-23-328 Out-of-bounds Write in captive portal
CVE-2023-42789 CVE-2023-42789
An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS &...
FortiOS 7.4.1, 7.4.0, 7.2.5, 7.2.4, 7.2.3 ... FortiProxy 7.4.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3 ...
Mar 12, 2024
Mar 12, 2024

Critical

Critical Severity
FG-IR-23-397 CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability
CVE-2023-44487
The Fortinet Product Security team has evaluated the impact of the vulnerablity HTTP/2 Rapid Reset Attack,...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...
Feb 08, 2024
Feb 08, 2024

Medium

Medium Severity
FG-IR-24-029 Format String Bug in fgfmd
CVE-2024-23113
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a...
FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5 ... FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ... FortiWeb 7.4.2, 7.4.1, 7.4.0
Feb 08, 2024
Feb 08, 2024

Critical

Critical Severity
FG-IR-23-301 Fortilink lack of certificate validation
CVE-2023-47537
An improper certificate validation vulnerability [CWE-295] in FortiOS may allow an unauthenticated...
FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ...
Feb 08, 2024
Feb 08, 2024

Medium

Medium Severity
FG-IR-24-015 Out-of-bound Write in sslvpnd
CVE-2024-21762
A out-of-bounds write vulnerability [CWE-787] in FortiOS and FortiProxy may allow a remote unauthenticated...
FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Feb 08, 2024
Feb 08, 2024

Critical

Critical Severity