Edit Content
Report Incident
English
Sinhala
Tamil

ADVISORY!

TLP : CLEAR

Date : 10/07/2024

REF NO : CERT / 2024/07/62

Fortinet Products Multiple Vulnerabilities

Severity Level: Medium

Components Affected

  • FortiOS versions 7.4.0 through 7.4.3
  • FortiOS 7.2 all versions
  • FortiOS 7.0 all versions
  • FortiProxy versions 7.4.0 through 7.4.3
  • FortiProxy 7.2 all versions
  • FortiProxy 7.0 all versions
  • FortiWeb versions 7.2.0 through 7.2.1
  • FortiWeb 7.0 all versions
  • FortiWeb 6.4 all versions
  • FortiWeb 6.3 all versions

Overview

Multiple vulnerabilities were identified in Fortinet Products. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting, security restriction bypass, sensitive information disclosure and data manipulation on the targeted system.

Description

Two critical vulnerabilities have been identified in Fortinet products. The first, classified under CWE-1389, affects FortiProxy versions 7.4.3 and below, 7.2.10 and below, 7.0.17 and below, as well as FortiOS versions 7.4.3 and below, 7.2.8 and below, and 7.0.15 and below. This vulnerability arises from incorrect parsing of numbers with different radices during IP address validation, which could allow an unauthenticated attacker to bypass the IP blocklist through crafted requests. The second vulnerability, classified under CWE-295, affects FortiWeb versions 7.2.0 through 7.2.1, all versions of 7.0, 6.4, and 6.3. It involves improper certificate validation, which could enable a remote, unauthenticated attacker in a Man-in-the-Middle (MitM) position to intercept and tamper with the communication between the Web Application Firewall (WAF) and its endpoints, compromising data security.

Impact

  • Cross-Site Scripting
  • Security Restriction Bypass
  • Information Disclosure
  • Data Manipulation

Solution/ Workarounds

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

Reference

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.

Sri Lanka Computer Emergency Readiness Team | Coordination Centre

Linkedin-in Facebook-f Twitter Youtube

Quick Links

Useful Links

Contact

  • Hotline : 101
  • +94 11 269 1692
  • Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
  • General inquiry: cert@cert.gov.lk
  • Security incidents: incidents@cert.gov.lk
  • Social media incidents: report@cert.gov.lk

Copyright © 2023 SRI LANKA CERT | CC