A high-severity cross-site scripting (XSS) vulnerability tracked as (CVE-2023-29183) affecting several FortiOS and FortiProxy versions has been patched by Fortinet.
Additionally, the cybersecurity firm provided updates for a high-severity flaw in FortiWeb, tracked as (CVE-2023-34984).
“A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA warns.
CVE-2023-29183 – FortiOS & FortiProxy
The vulnerability was tracked as CVE-2023-29183 (CVSS score of 7.3) in FortiOS and FortiProxy GUI. An inappropriate neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability exists.
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
- FortiProxy version 7.2.0 through 7.2.4
- FortiProxy version 7.0.0 through 7.0.10
- FortiOS version 7.2.0 through 7.2.4
- FortiOS version 7.0.0 through 7.0.11
- FortiOS version 6.4.0 through 6.4.12
- FortiOS version 6.2.0 through 6.2.14
- FortiProxy version 7.2.5 or above
- FortiProxy version 7.0.11 or above
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.5 or above
- FortiOS version 7.0.12 or above
- FortiOS version 6.4.13 or above
- FortiOS version 6.2.15 or above
CVE-2023-34984 – FortiWeb
The vulnerability was tracked as CVE-2023-34984 (CVSS score of 7.1) in FortiWeb. A protection mechanism failure vulnerability may allow an attacker to bypass XSS and CSRF protection.
- FortiWeb version 7.2.0 through 7.2.1
- FortiWeb version 7.0.0 through 7.0.6
- FortiWeb 6.4, all versions
- FortiWeb 6.3, all versions
- FortiWeb version 7.2.2 or above
- FortiWeb version 7.0.7 or above
Hence, users of Fortinet are urged to upgrade their switches and firewalls as soon as possible.