Vulnerabilities

CVE-2023-42789, 42790, 48788, 47534, 36554, 23112 Fortinet products

This advisory is for organizations that use Fortinet products.  If your organization does not use these Fortinet products, this notification may be discarded.

Summary

Fortinet has released security updates for multiple products.

Affected Platforms

Vulnerability

 

CVSSv3

Affected versions

CVE-2023-42789

FortiOS & FortiProxy - Out-of-bounds Write in captive portal

9.3

FortiOS version 7.4.0 through 7.4.1

CVE-2023-42790

 

FortiOS version 7.2.0 through 7.2.5

 

 

FortiOS version 7.0.0 through 7.0.12

 

 

FortiOS version 6.4.0 through 6.4.14

 

 

FortiOS version 6.2.0 through 6.2.15

 

 

FortiProxy version 7.4.0

 

 

FortiProxy version 7.2.0 through 7.2.6

 

 

FortiProxy version 7.0.0 through 7.0.12

 

 

FortiProxy version 2.0.0 through 2.0.13

CVE-2023-48788

FortiClientEMS Pervasive SQL injection in DAS component

9.3

FortiClientEMS 7.2.0 - 7.2.2

 

 

FortiClientEMS 7.0.1 - 7.0.10

CVE-2023-47534

FortiClientEMS - CSV injection in log download feature

8.7

FortiClientEMS 7.2.0 - 7.2.2

 

 

FortiClientEMS 7.0.0 - 7.0.10

 

 

6.4 all version

 

 

6.2 all versions

 

 

6.0 all versions

CVE-2023-36554

FortiWLM MEA for FortiManager - improper access control in backup and restore features

7.7

FortiManager 7.4.0

 

 

FortiManager 7.2.0 - 7.2.3

 

 

FortiManager 7.0.0 - 7.0.10

 

 

FortiManager 6.4.0 - 6.4.13

 

 

FortiManager 6.2 all versions

CVE-2024-23112

FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks

7.2

FortiOS 7.4.0 - 7.4.1

 

 

FortiOS 7.2.0 - 7.2.6

 

 

FortiOS 7.0.1 - 7.0.13

 

 

FortiOS 6.4.7 - 6.4.14

 

 

FortiProxy 7.4.0 - 7.4.2

 

 

FortiProxy 7.2.0 - 7.2.8

 

 

FortiProxy 7.0.0 - 7.0.14

 

 

Mitigations

CVE-2023-42789 & CVE-2023-42790 https://www.fortiguard.com/psirt/FG-IR-23-328

CVE-2023-48788 https://www.fortiguard.com/psirt/FG-IR-24-007

CVE-2023-47534 https://www.fortiguard.com/psirt/FG-IR-23-390

CVE-2023-36554 https://www.fortiguard.com/psirt/FG-IR-23-103

CVE-2024-23112 https://www.fortiguard.com/psirt/FG-IR-24-013

 

Additional Resources

https://www.cisa.gov/news-events/alerts/2024/03/12/fortinet-releases-security-updates-multiple-products