Connect with us

Hi, what are you looking for?



Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products

Fortinet has released patches for a high-severity cross-site scripting vulnerability impacting its enterprise firewalls and switches.

Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions.

Tracked as CVE-2023-29183 (CVSS score of 7.3), the security defect is described as an “improper neutralization of input during web page generation”.

Successful exploitation of the bug, Fortinet explains in an advisory, may allow an authenticated attacker to use crafted guest management settings to trigger the execution of malicious JavaScript code.

Identified by Fortinet’s CSE team, the flaw impacts FortiProxy versions 7.0.x and 7.2.x, and FortiOS versions 6.2.x, 6.4.x, 7.0.x, and 7.2.x.

Fortinet has released FortiProxy versions 7.0.11 and 7.2.5, and FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0 to address this issue.

The cybersecurity company also released patches for a high-severity issue in its web application firewall and API protection solution FortiWeb.

Tracked as CVE-2023-34984 (CVSS score of 7.1), the issue could allow an attacker to bypass existing XSS and cross-site request forgery (CSRF) protections, the company explains.

Advertisement. Scroll to continue reading.

According to Fortinet, the bug impacts FortiWeb versions 6.3, 6.4, 7.0.x, and 7.2.x, and was addressed with the release of FortiWeb versions 7.0.7 and 7.2.2.

Fortinet users are advised to update their firewalls and switches as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in attacks, flaws in Fortinet appliances have been targeted in the wild to gain access to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploitation of these bugs could lead to full system compromise and advises administrators to review Fortinet’s advisories and apply the necessary updates.

“A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution

Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks

Related: Fortinet Patches Critical Vulnerability in Data Analytics Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.