virus logo PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here. And, for recommended upgrade path, see our Upgrade Path Tool Table.

  Affected Product
 Version
 Date
 Severity
 Component

Total: 120

PSIRT
Description
Affected Products
Updated Date
Component
Severity
FG-IR-23-432 Firewall deny policy bypass
CVE-2023-47536
An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy may allow a remote...
FortiOS 7.2.0, 7.0.16, 7.0.15, 7.0.14, 7.0.13 ... FortiProxy 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9 ...

Dec 11, 2023

Published:
Dec 12, 2023
Dec 11, 2023 Published: Dec 12, 2023

Low

Low Severity
FG-IR-23-270 Read-only administrator can read or backup the system configuration
CVE-2023-41673
An improper authorization vulnerability [CWE-285] in FortiADC may allow a low privileged user to read or...
FortiADC 7.4.0, 7.2.2, 7.2.1, 7.2.0, 7.1.4 ...

Dec 11, 2023

Published:
Dec 12, 2023
Dec 11, 2023 Published: Dec 12, 2023

Medium

Medium Severity
FG-IR-22-345 Command injection in "execute restore/backup" CLI commands
CVE-2023-40716
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command...
FortiTester 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.1 ...

Dec 01, 2023

Published:
Dec 12, 2023
Dec 01, 2023 Published: Dec 12, 2023
CLI
CLI

Medium

Medium Severity
FG-IR-23-256 Log injection
CVE-2023-46713
An improper output neutralization for logs vulnerability [CWE-117] in FortiWeb Traffic Log component may...
FortiWeb 7.4.0, 7.2.5, 7.2.4, 7.2.3, 7.2.2 ...

Nov 21, 2023

Published:
Dec 12, 2023
Nov 21, 2023 Published: Dec 12, 2023

Medium

Medium Severity
FG-IR-23-119 Format String Bug in Fclicense daemon
CVE-2023-29181
A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS...
FortiOS 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ... FortiPAM 1.0.3, 1.0.2, 1.0.1, 1.0.0 FortiProxy 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ...

Nov 15, 2023

Published:
Jun 12, 2023
Nov 15, 2023 Published: Jun 12, 2023

High

High Severity
FG-IR-23-135 OS command injection in Report Server
CVE-2023-36553
An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM...
FortiSIEM 5.4.0, 5.3.3, 5.3.2, 5.3.1, 5.3.0 ...

Nov 13, 2023

Published:
Nov 14, 2023
Nov 13, 2023 Published: Nov 14, 2023
GUI
GUI

Critical

Critical Severity
FG-IR-23-290 Windows agent password is visible in the logs
CVE-2023-41676
An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM may allow an attacker...
FortiSIEM 7.0.0, 6.7.5, 6.7.4, 6.7.3, 6.7.2 ...

Nov 13, 2023

Published:
Nov 14, 2023
Nov 13, 2023 Published: Nov 14, 2023

Medium

Medium Severity
FG-IR-23-385 Curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities
CVE-2023-38545 CVE-2023-38545
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)A heap-based buffer overflow flaw...
FortiExtender 7.4.1, 7.4.0, 7.2.3, 7.2.2, 7.2.1 ... FortiOS 7.4.1, 7.4.0, 7.2.6, 7.2.5, 7.2.4 ... FortiProxy 7.4.1, 7.4.0, 7.2.7, 7.2.6, 7.2.5 ...

Nov 07, 2023

Published:
Nov 14, 2023
Nov 07, 2023 Published: Nov 14, 2023

Medium

Medium Severity
FG-IR-23-392 Encrypted password stored in logs
CVE-2023-45585
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiSIEM may allow an...
FortiSIEM 7.0.0, 6.7.6, 6.7.5, 6.7.4, 6.7.3 ...

Nov 07, 2023

Published:
Nov 14, 2023
Nov 07, 2023 Published: Nov 14, 2023

Low

Low Severity
FG-IR-22-292 Privilege escalation vulnerability using the automation cli-script feature
CVE-2023-26205
An improper access control vulnerability [CWE-284] in FortiADC automation feature may allow an...
FortiADC 7.1.2, 7.1.1, 7.1.0, 7.0.5, 7.0.4 ...

Nov 07, 2023

Published:
Nov 14, 2023
Nov 07, 2023 Published: Nov 14, 2023

High

High Severity
FG-IR-23-064 Buffer overflows in CLI commands
CVE-2023-29177
Multiple buffer copy without checking size of input ('classic buffer overflow') vulnerabilities [CWE-120]...
FortiADC 7.2.0, 7.1.2, 7.1.1, 7.1.0, 7.0.5 ... FortiDDoS-F 6.5.0, 6.4.1, 6.4.0, 6.3.5, 6.3.4 ...

Nov 02, 2023

Published:
Nov 14, 2023
Nov 02, 2023 Published: Nov 14, 2023
CLI
CLI

Medium

Medium Severity
FG-IR-22-396 Bypass of root file system integrity checks at boot time on VM
CVE-2023-28002
An improper validation of integrity check value vulnerability [CWE-354] in FortiOS VMs may allow a local...
FortiOS 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.12 ...

Nov 02, 2023

Published:
Nov 14, 2023
Nov 02, 2023 Published: Nov 14, 2023

Medium

Medium Severity
FG-IR-23-221 Syslog not protected by an extra layer of authentication
CVE-2023-42782
A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer,...
FortiAnalyzer 7.4.0, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ... FortiAnalyzer-BigData 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1 ... FortiManager 7.4.0, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ...

Oct 30, 2023

Published:
Oct 10, 2023
Oct 30, 2023 Published: Oct 10, 2023

Medium

Medium Severity
FG-IR-23-177 Use of hardcoded credentials in fmgsvrd
CVE-2023-40719
A use of hard-coded credentials [CWE-798] in FortiManager and FortiAnalyzer may allow an attacker to...
FortiAnalyzer 7.4.0, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ... FortiManager 7.4.0, 7.2.3, 7.2.2, 7.2.1, 7.2.0 ...

Oct 28, 2023

Published:
Nov 14, 2023
Oct 28, 2023 Published: Nov 14, 2023

Medium

Medium Severity
FG-IR-22-518 CORS: arbitrary origin trusted
CVE-2023-25603
A permissive cross-domain policy with untrusted domains (CWE-942) vulnerability in the API of FortiADC /...
FortiADC 7.1.1, 7.1.0 FortiDDoS-F 6.4.1, 6.4.0, 6.3.5, 6.3.4, 6.3.3 ...

Oct 17, 2023

Published:
Nov 14, 2023
Oct 17, 2023 Published: Nov 14, 2023

Medium

Medium Severity