Filter by Date
- 2022
  - 7 11-2022
  - 1 10-2022
  - 9 09-2022
  - 2 08-2022
  - 6 07-2022
  - 3 06-2022
  - 6 05-2022
  - 8 04-2022
  - 1 03-2022
  - 2 02-2022
- 2021
  - 20 12-2021
  - 11 11-2021
  - 5 10-2021
  - 7 09-2021
  - 11 08-2021
  - 11 07-2021
  - 10 06-2021
  - 2 05-2021
  - 3 04-2021
  - 4 03-2021
  - 4 02-2021
  - 5 01-2021
- 2020
  - 2 12-2020
  - 1 11-2020
  - 2 10-2020
  - 7 09-2020
  - 1 07-2020
  - 9 06-2020
  - 4 05-2020
  - 2 04-2020
  - 8 03-2020
  - 5 02-2020
  - 5 01-2020
- 2019
  - 1 12-2019
  - 7 11-2019
  - 4 10-2019
  - 2 09-2019
  - 1 08-2019
  - 3 07-2019
  - 2 06-2019
  - 3 05-2019
  - 4 04-2019
  - 1 02-2019
- 2018
  - 1 12-2018
  - 1 11-2018
  - 4 08-2018
  - 2 07-2018
  - 2 06-2018
  - 2 05-2018
  - 1 04-2018
- 2017
  - 2 12-2017
  - 3 11-2017
  - 5 10-2017
  - 2 07-2017
  - 4 04-2017
  - 1 02-2017
- 2016
  - 1 12-2016
  - 4 11-2016
  - 2 09-2016
  - 5 08-2016
  - 1 07-2016
  - 1 06-2016
  - 1 04-2016
  - 1 02-2016
- 2015
  - 1 09-2015
  - 2 07-2015
  - 1 02-2015
  - 1 01-2015
- 2014
  - 1 12-2014
  - 1 10-2014
  - 1 08-2014
  - 1 07-2014
  - 1 06-2014
  - 1 05-2014
  - 1 04-2014
  - 3 02-2014
  - 1 01-2014
- 2013
  - 1 12-2013
  - 1 01-2013
- 2012
  - 1 10-2012
  - 1 08-2012
Filter by Severity
- 0 Critical
- 0 High
- 278 Medium
- 0 Low
- 0 Informational
Filter by Affected Product
- All
- 50 FortiOS
- 22 FortiManager
- 22 FortiAnalyzer
- 19 FortiProxy
- 18 FortiWeb
- 14 FortiMail
- 13 FortiSandbox
- 10 FortiPortal
- 10 FortiADC
- 8 FortiWLC
- 7 FortiClientEMS
- 7 FortiSwitch
- 6 FortiClientWindows
- 6 FortiSIEM
- 6 FortiSOAR
- 5 FortiWAN
- 5 FortiAuthenticator
- 4 FortiClientMac
- 4 FortiNAC
- 4 FortiDDoS
- 4 FortiRecorder
- 4 FortiEDR
- 3 FortiWLM
- 3 FortiAP
- 3 FortiVoiceEnterprise
- 3 FortiAP-S
- 3 FortiAP-W2
- 3 FortiDDoS-F
- 2 FortiTester
- 2 FortiAP-U
- 2 FortiClientLinux
- 2 FortiIsolator
- 2 FortiADCManager
- 2 FortiExtender
- 2 FortiSIEMWindowsAgent
- 2 FortiDDoS-CM
- 1 FortiDeceptor
- 1 FortiNDR
- 1 FortiAP-C
- 1 FortiCache
- 1 FortiClientiOS
- 1 FortiTokenAndroid
- 1 FortiWebManager
- 1 Meru AP
- 1 AV Engine
- 1 FSSO Windows CA
- 1 FSSO Windows DC Agent
- 1 FortiCloud
- 1 FortiGuard
- 1 FortiSDNConnector
- 1 FortiTokenIOS
- 1 FortiTokenMobileWP
- 0 AscenLink
- 0 FortiAnalyzer-BigData
- 0 FortiClientAndroid
- 0 FortiDB
- 0 FortiFone
- 0 FortiOS-6K7K
- 0 FortiSwitchManager
- 0 FortiWAN-Manager
- 0 Meru Controller

Refine Search

PSIRT Advisories

Monthly PSIRT Advisories

2022: Nov , Sep , Aug , Jul , Jun , May , Apr , Mar , Feb
2021: Dec , Nov , Oct , Sep , Aug , Jul , Jun , May , Apr , Mar , Feb , Jan
2020: Dec

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

AV Engine - evasion by manipulating MIME attachment

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines...

AV Engine 6.33, 6.253, 6.252, 6.243, 6.157, 6.156, 6.145, 6.144, 6.142, 6.137, 4.4.54, 2.0.60, 2.0.49, 0.4.23 FortiMail 7.0.2, 7.0.1, 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0 FortiOS 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.11, 6.4.10, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.12, 6.2.11, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-074 CVE-2022-26122

FortiADC - WAF XSS Injection Bypass

An improper handling of malformed request vulnerability [CWE-228] in FortiADC may allow a remote attacker without privileg...

FortiADC 7.0.2, 7.0.1, 7.0.0, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.6, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-234 CVE-2022-38381

FortiEDR CollectorWindows - protection bypass by killing the process with special tools

An improper control of a resource through its lifetime vulnerability [CWE-664] in FortiEDR CollectorWindows may allow a pr...

FortiEDR 5.2.0, 5.1.0, 5.0.1, 5.0.0, 4.0.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-218 CVE-2022-39949

FortiMail - Inter-domain information leakage

An improper access control vulnerability [CWE-284] in FortiMail may allow an authenticated admin user assigned to a specif...

FortiMail 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-066 CVE-2022-39945

FortiOS -- Read-Only users able to modify the Interface fields using the API

An improper access control [CWE-284] vulnerability in FortiOS may allow a remote authenticated read-only user to modify th...

FortiOS 7.2.0, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-174 CVE-2022-38380

FortiSOAR - PostgreSQL DB access to local users

A missing authentication for critical function [CWE-306] vulnerabilty in FortiSOAR's Postgres database may allow a local a...

FortiSOAR 7.2.2, 7.2.1, 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-216 CVE-2022-42473

FortiTester - Undocumented shell command

A hidden functionality vulnerability [CWE-1242] in FortiTester CLI may allow a local, privileged user to obtain a root she...

FortiTester 7.1.0, 7.0.0, 4.2.0, 4.1.1, 4.1.0, 4.0.0, 3.9.1, 3.9.0, 3.8.0, 3.7.1, 3.7.0, 3.6.0, 3.5.1, 3.5.0, 3.4.0, 3.3.1, 3.3.0, 3.2.0, 3.1.0, 3.0.0, 2.9.0, 2.8.0, 2.7.0, 2.6.0, 2.5.0, 2.4.1, 2.4.0, 2.3.0

Nov 01, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-283 CVE-2022-38372

FortiTester - Authenticated command injection in certificate import feature

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of...

FortiTester 7.1.0, 7.0.0, 4.2.0, 4.1.1, 4.1.0, 4.0.0, 3.9.1, 3.9.0, 3.8.0, 3.7.1, 3.7.0, 3.6.0, 3.5.1, 3.5.0, 3.4.0, 3.3.1, 3.3.0, 3.2.0, 3.1.0, 3.0.0, 2.9.0, 2.8.0, 2.7.0, 2.6.0, 2.5.0, 2.4.1, 2.4.0, 2.3.0

Oct 10, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-247 CVE-2022-35844

FortiADC -- Read-Only user able to modify system files

An improper privilege management vulnerability [CWE-269] in FortiADC may allow a remote authenticated attacker with restri...

FortiDDoS-F 6.3.0 FortiADC 6.2.1, 6.2.0, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-21-215 CVE-2021-43076

FortiMail - Cross-site scripting (XSS) in Webmail

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail Webmail may allow an un...

FortiMail 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-21-045 CVE-2022-26114

FortiManager & FortiAnalyzer - Inter ADOM information leakage

An improper access control vulnerability [CWE-284] in FortiManager and FortiAnalyzer management interface may allow a remo...

FortiManager 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.11, 6.0.10, 6.0.1, 6.0.0 FortiAnalyzer 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.11, 6.0.10, 6.0.1, 6.0.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-20-143 CVE-2022-38377

FortiOS - TCP Middlebox Reflection

An improper verification of source of a communication channel vulnerability [CWE-940] in FortiOS may allow a remote and un...

FortiOS 7.2.0, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-073 CVE-2022-27491

FortiOS -- XSS vulnerability observed in External Connectors Of Security Fabric

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS may allow an authenticate...

FortiOS 7.2.0, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0 FortiProxy 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 2.0.8, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-21-222 CVE-2021-43080

FortiSOAR - OS Command Injection in Agent Password Field

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fo...

FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-156 CVE-2022-29061

FortiSOAR - Path traversal vulnerabilities in the web API

Multiple relative path traversal vulnerabilities [CWE-23] in the web API of FortiSOAR may allow an authenticated attacker ...

FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0

Sep 06, 2022 Severity light-circle-logo

Medium IR Number: FG-IR-22-154 CVE-2022-29062

1
2
3
4
5
6
7
8
...
18
19

1
2
3
...
19