Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-26103: Fortiguard

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

CVE
#csrf#vulnerability#web#ios

PSIRT Advisories

FortiOS & FortiProxy - SSL-VPN portal is vulnerable to CSRF

Summary

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

Affected Products

FortiProxy versions 2.0.3 and below.
FortiProxy version 1.2.11 and below.
FortiGate version 7.0.0.
FortiGate versions 6.4.6 and below.
FortiGate versions 6.2.9 and below.
FortiGate versions 5.6.x and 6.0.x are also impacted.

Solutions

Please upgrade to FortiProxy version 2.0.4 or above.

Please upgrade to FortiProxy version 1.2.12 or above.

Please upgrade to FortiGate version 7.0.1 or above.

Please upgrade to FortiGate version 6.4.7 or above.

Please upgrade to FortiGate version 6.2.10 or above.

Acknowledgement

Fortinet is pleased to thank Gabriel Costa Castello and Pablo Valle Alvear for bringing this issue to our attention under responsible disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907