- 259/2023
- Critical
Fortinet has released security updates to address vulnerabilities affecting multiple products.
The addressed vulnerabilities could allow the attacker to gain access, perform cross-site scripting attacks, steal the victim’s cookie-based authentication credentials, or traverse directories on the affected systems by sending specially crafted URL requests.
Sample of the addressed vulnerabilities:
1. Fortinet FortiSIEM Directory Traversal Vulnerability (CVE-2023-40714):
- CVSS: 9.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. Fortinet FortiSandbox Cross-Site Scripting Vulnerability (CVE-2023-41680):
- CVSS: 7.3
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Sample of the affected products:
- FortiSIEM versions from 6.7.0 to 6.7.3.
- FortiSandbox versions from 4.2.0 to 4.2.4.
Vulnerabilities
- CVE-2023-40714
- CVE-2023-41843
- CVE-2023-41680
- CVE-2023-41682
- CVE-2023-41836
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.