Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29183: Fortiguard

An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

CVE
Open in Source
#xss#vulnerability#web#ios#java#auth

** PSIRT Advisories**

FortiOS & FortiProxy - Stored XSS in guest management page

Summary

An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiOS and FortiProxy GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

Affected Products

FortiProxy version 7.2.0 through 7.2.4
FortiProxy version 7.0.0 through 7.0.10
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.14

Solutions

Please upgrade to FortiProxy version 7.2.5 or above
Please upgrade to FortiProxy version 7.0.11 or above
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.12 or above
Please upgrade to FortiOS version 6.4.13 or above
Please upgrade to FortiOS version 6.2.15 or above

Acknowledgement

Internally discovered and reported by William Costa from Fortinet’s CSE team

Timeline

2023-09-01: Initial publication

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE