- 229/2023
- High
Fortinet has released security updates to fix several vulnerabilities in FortiProxy, FortiADC, and FortiOS.
The addressed vulnerabilities could allow the attacker to perform cross-site scripting attacks, or gain access to the affected products and inject malicious script into the webpage to steal the victim’s cookie-based authentication credentials.
The addressed vulnerabilities:
1. FortiADC – Command Injection in Automation/Webhook Module (CVE-2022- 35849):
- CVSS: 7.4
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. FortiOS & FortiProxy – Stored XSS in Guest Management Page (CVE-2023 -29183):
- CVSS: 7.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Scripting
Sample of the affected products:
- FortiProxy version 7.2.0 through 7.2.4.
- FortiOS version 7.0.0 through 7.0.11.
- FortiADC version 7.0.0 through 7.0.3.
Vulnerabilities
- CVE-2023-29183
- CVE-2022-35849
Mitigations
The enterprise should deploy these patches as soon as the testing phase is completed.