Headline
CVE-2023-26207: Fortiguard
An insertion of sensitive information into log file vulnerability in Fortinet FortiOS 7.2.0 through 7.2.4 and FortiProxy 7.0.0 through 7.0.10. 7.2.0 through 7.2.1 allows an attacker to read certain passwords in plain text.
** PSIRT Advisories**
FortiOS & FortiProxy - SMTP password ciphertext exposure in Log
Summary
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS / FortiProxy log events may allow a remote authenticated attacker to read certain passwords in plain text.
Affected Products
FortiOS 7.2 all versions
FortiProxy version 7.2.0 through 7.2.1
FortiProxy 7.0 all versions
Solutions
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiProxy version 7.2.2 or above
Acknowledgement
Internally discovered and reported by Goutham Dhongadi Rukmasah of Fortinet R&D team.
Timeline
2023-05-12: Initial publication