This advisory is for organizations that use Fortinet products. If your organization does not use these Fortinet products, this notification may be discarded.
Summary
Fortinet has released security updates for multiple products.
Affected Platforms
Vulnerability
|
|
CVSSv3
|
Affected versions
|
CVE-2023-42789
|
FortiOS & FortiProxy - Out-of-bounds Write in captive portal
|
9.3
|
FortiOS version 7.4.0 through 7.4.1
|
CVE-2023-42790
|
|
FortiOS version 7.2.0 through 7.2.5
|
|
|
FortiOS version 7.0.0 through 7.0.12
|
|
|
FortiOS version 6.4.0 through 6.4.14
|
|
|
FortiOS version 6.2.0 through 6.2.15
|
|
|
FortiProxy version 7.4.0
|
|
|
FortiProxy version 7.2.0 through 7.2.6
|
|
|
FortiProxy version 7.0.0 through 7.0.12
|
|
|
FortiProxy version 2.0.0 through 2.0.13
|
CVE-2023-48788
|
FortiClientEMS Pervasive SQL injection in DAS component
|
9.3
|
FortiClientEMS 7.2.0 - 7.2.2
|
|
|
FortiClientEMS 7.0.1 - 7.0.10
|
CVE-2023-47534
|
FortiClientEMS - CSV injection in log download feature
|
8.7
|
FortiClientEMS 7.2.0 - 7.2.2
|
|
|
FortiClientEMS 7.0.0 - 7.0.10
|
|
|
6.4 all version
|
|
|
6.2 all versions
|
|
|
6.0 all versions
|
CVE-2023-36554
|
FortiWLM MEA for FortiManager - improper access control in backup and restore features
|
7.7
|
FortiManager 7.4.0
|
|
|
FortiManager 7.2.0 - 7.2.3
|
|
|
FortiManager 7.0.0 - 7.0.10
|
|
|
FortiManager 6.4.0 - 6.4.13
|
|
|
FortiManager 6.2 all versions
|
CVE-2024-23112
|
FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks
|
7.2
|
FortiOS 7.4.0 - 7.4.1
|
|
|
FortiOS 7.2.0 - 7.2.6
|
|
|
FortiOS 7.0.1 - 7.0.13
|
|
|
FortiOS 6.4.7 - 6.4.14
|
|
|
FortiProxy 7.4.0 - 7.4.2
|
|
|
FortiProxy 7.2.0 - 7.2.8
|
|
|
FortiProxy 7.0.0 - 7.0.14
|
Mitigations
CVE-2023-42789 & CVE-2023-42790 https://www.fortiguard.com/psirt/FG-IR-23-328
CVE-2023-48788 https://www.fortiguard.com/psirt/FG-IR-24-007
CVE-2023-47534 https://www.fortiguard.com/psirt/FG-IR-23-390
CVE-2023-36554 https://www.fortiguard.com/psirt/FG-IR-23-103
CVE-2024-23112 https://www.fortiguard.com/psirt/FG-IR-24-013
Additional Resources
https://www.cisa.gov/news-events/alerts/2024/03/12/fortinet-releases-security-updates-multiple-products