- 87/2023
- Critical
Fortinet has released security updates to address several vulnerabilities in multiple products.
The addressed vulnerabilities could allow the attacker to execute arbitrary code, escalate privileges, bypass security restrictions, obtain information, cause crosssite scripting, and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. FortiPresence – Unpassworded Remotely Accessible Redis & MongoDB (CVE-2022-41331):
- CVSS: 9.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. FortiOS & FortiProxy – Cross-Site Scripting Vulnerabilities in the Administrative Interface (CVE-2022-41330):
- CVSS: 8.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Sample of affected products:
- FortiPresence.
- FortiClientWindows.
- FortiDDoS.
- FortiNAC.
- FortiSOAR.
Vulnerabilities
- CVE-2023-27995
- CVE-2023-22635
- CVE-2022-43951
- CVE-2022-40679
- CVE-2022-40682
- CVE-2022-42470
- CVE-2022-41331
- CVE-2022-43948
- CVE-2023-22641
- CVE-2022-424777
- CVE-2022-43952
- CVE-2022-43955
- CVE-2022-43946
- CVE-2022-0847
- CVE-2022-27487
- CVE-2022-41330
- CVE-2022-43947
- CVE-2022-27485
- CVE-2023-22642
- CVE-2022-42469
- CVE-2022-35850
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
Fortinet Security Advisory