Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products

Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions. Tracked as CVE-2023-29183 (CVSS score of 7.3), the security defect is described as an “improper neutralization of input during web page generation”. Successful exploitation of the bug, Fortinet explains in an advisory, may allow an authenticated attacker to use crafted guest management settings to trigger the execution of malicious JavaScript code. Identified by Fortinet’s CSE team, the flaw impacts FortiProxy versions 7.0.x and 7.2.x, and FortiOS versions 6.2.x, 6.4.x, 7.0.x, and 7.2.x. Fortinet has released FortiProxy versions 7.0.11 and 7.2.5, and FortiOS versions 6.2.15, 6.4.13, 7.0.12, 7.2.5, and 7.4.0 to address this issue. The cybersecurity company also released patches for a high-severity issue in its web application firewall and API protection solution FortiWeb. Tracked as CVE-2023-34984 (CVSS score of 7.1), the issue could allow an attacker to bypass existing XSS and cross-site request forgery (CSRF) protections, the company explains.