PSIRTCross-site scripting forgery (CSRF) in HTTPd CLI console
Summary
A cross-site scripting forgery vulnerability [CWE-352] in FortiMail, FortiNDR, FortiRecorder, FortiSwitch & FortiVoiceEnterprise may allow a remote and unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.
| Version | Affected | Solution |
|---|---|---|
| FortiMail 7.2 | Not affected | Not Applicable |
| FortiMail 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.4 or above |
| FortiMail 6.4 | 6.4.0 through 6.4.6 | Upgrade to 6.4.7 or above |
| FortiMail 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiMail 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiNDR 7.2 | Not affected | Not Applicable |
| FortiNDR 7.1 | 7.1.0 | Upgrade to 7.1.1 or above |
| FortiNDR 7.0 | 7.0.0 through 7.0.4 | Upgrade to 7.0.5 or above |
| FortiNDR 1.5 | 1.5 all versions | Migrate to a fixed release |
| FortiNDR 1.4 | 1.4 all versions | Migrate to a fixed release |
| FortiNDR 1.3 | 1.3 all versions | Migrate to a fixed release |
| FortiNDR 1.2 | 1.2 all versions | Migrate to a fixed release |
| FortiNDR 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiRecorder 7.0 | Not affected | Not Applicable |
| FortiRecorder 6.4 | 6.4.0 through 6.4.2 | Upgrade to 6.4.3 or above |
| FortiRecorder 6.0 | 6.0.0 through 6.0.11 | Upgrade to 6.0.12 or above |
| FortiRecorder 2.7 | 2.7 all versions | Migrate to a fixed release |
| FortiRecorder 2.6 | 2.6 all versions | Migrate to a fixed release |
| FortiSwitch 7.2 | Not affected | Not Applicable |
| FortiSwitch 7.0 | 7.0.0 through 7.0.4 | Upgrade to 7.0.5 or above |
| FortiSwitch 6.4 | 6.4.0 through 6.4.10 | Upgrade to 6.4.11 or above |
| FortiSwitch 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiSwitch 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiVoice 7.0 | Not affected | Not Applicable |
| FortiVoice 6.4 | 6.4.0 through 6.4.7 | Upgrade to 6.4.8 or above |
| FortiVoice 6.0 | 6.0.0 through 6.0.11 | Upgrade to 6.0.12 or above |
Acknowledgement
Internally discovered and reported by Théo Leleu of Fortinet Product Security team.Timeline
2023-12-11: Initial publication