Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions.
Tracked as CVE-2023-29183 (CVSS score of 7.3), the security defect is described as an “improper neutralization of input during web page generation”.
Successful exploitation of the bug, Fortinet explains in an advisory, may allow an authenticated attacker to use crafted guest management settings to trigger the execution of malicious JavaScript code.
Identified by Fortinet’s CSE team, the flaw impacts FortiProxy versions 7.0.x and 7.2.x, and FortiOS versions 6.2.x, 6.4.x, 7.0.x, and 7.2.x.
Fortinet has released FortiProxy versions 7.0.11 and 7.2.5, and FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0 to address this issue.
The cybersecurity company also released patches for a high-severity issue in its web application firewall and API protection solution FortiWeb.
Tracked as CVE-2023-34984 (CVSS score of 7.1), the issue could allow an attacker to bypass existing XSS and cross-site request forgery (CSRF) protections, the company explains.
According to Fortinet, the bug impacts FortiWeb versions 6.3, 6.4, 7.0.x, and 7.2.x, and was addressed with the release of FortiWeb versions 7.0.7 and 7.2.2.
Fortinet users are advised to update their firewalls and switches as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in attacks, flaws in Fortinet appliances have been targeted in the wild to gain access to enterprise networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploitation of these bugs could lead to full system compromise and advises administrators to review Fortinet’s advisories and apply the necessary updates.
“A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA notes.
Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution
Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
Related: Fortinet Patches Critical Vulnerability in Data Analytics Solution
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
