In the ever-evolving landscape of cybersecurity, vulnerabilities are discovered and exploited with alarming frequency. Today, we shine a light on an insidious flaw in FortiOS that has sent shockwaves through the industry. XSS (Cross-Site Scripting) vulnerability is not a term to be taken lightly, as it exposes organizations to malicious attacks that can wreak havoc on their digital infrastructure. Join us as we delve into this critical security loophole in Fortinet’s renowned operating system, exploring its implications and providing insights to safeguard against potential breaches.
A high-severity cross-site scripting (XSS) vulnerability tracked as (CVE-2023-29183) affecting several FortiOS and FortiProxy versions has been patched by Fortinet.
Additionally, the cybersecurity firm provided updates for a high-severity flaw in FortiWeb, tracked as (CVE-2023-34984). “A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA warns.
CVE-2023-29183 – FortiOS & FortiProxy:
The vulnerability was tracked as CVE-2023-29183 (CVSS score of 7.3) in FortiOS and FortiProxy GUI. An inappropriate neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability exists.
“This may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting,” Fortinet said in its advisory.
Affected Products:
- FortiProxy version 7.2.0 through 7.2.4
- FortiProxy version 7.0.0 through 7.0.10
- FortiOS version 7.2.0 through 7.2.4
- FortiOS version 7.0.0 through 7.0.11
- FortiOS version 6.4.0 through 6.4.12
- FortiOS version 6.2.0 through 6.2.14
Patch Available:
- FortiProxy version 7.2.5 or above
- FortiProxy version 7.0.11 or above
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.5 or above
- FortiOS version 7.0.12 or above
- FortiOS version 6.4.13 or above
- FortiOS version 6.2.15 or above
CVE-2023-34984 – FortiWeb:
The vulnerability was tracked as CVE-2023-34984 (CVSS score of 7.1) in FortiWeb. A protection mechanism failure vulnerability may allow an attacker to bypass XSS and CSRF protection.
Affected Products:
- FortiWeb version 7.2.0 through 7.2.1
- FortiWeb version 7.0.0 through 7.0.6
- FortiWeb 6.4, all versions
- FortiWeb 6.3, all versions
- FortiWeb version 7.2.2 or above
- FortiWeb version 7.0.7 or above
Hence, users of Fortinet are urged to upgrade their switches and firewalls as soon as possible.