FortiOS & FortiProxy - SSL-VPN portal is vulnerable to CSRF
An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.
FortiProxy versions 2.0.3 and below.
FortiProxy version 1.2.11 and below.
FortiGate version 7.0.0.
FortiGate versions 6.4.6 and below.
FortiGate versions 6.2.9 and below.
FortiGate versions 5.6.x and 6.0.x are also impacted.
Please upgrade to FortiProxy version 2.0.4 or above.
Please upgrade to FortiProxy version 1.2.12 or above.
Please upgrade to FortiGate version 7.0.1 or above.
Please upgrade to FortiGate version 6.4.7 or above.
Please upgrade to FortiGate version 6.2.10 or above.