Cross-site scripting forgery (CSRF) in HTTPd CLI console

Summary

A cross-site scripting forgery vulnerability [CWE-352] in FortiMail, FortiNDR, FortiRecorder, FortiSwitch & FortiVoiceEnterprise may allow a remote and unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.

Version Affected Solution
FortiMail 7.2 Not affected Not Applicable
FortiMail 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above
FortiMail 6.4 6.4.0 through 6.4.6 Upgrade to 6.4.7 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release
FortiMail 6.0 6.0 all versions Migrate to a fixed release
FortiNDR 7.2 Not affected Not Applicable
FortiNDR 7.1 7.1.0 Upgrade to 7.1.1 or above
FortiNDR 7.0 7.0.0 through 7.0.4 Upgrade to 7.0.5 or above
FortiNDR 1.5 1.5 all versions Migrate to a fixed release
FortiNDR 1.4 1.4 all versions Migrate to a fixed release
FortiNDR 1.3 1.3 all versions Migrate to a fixed release
FortiNDR 1.2 1.2 all versions Migrate to a fixed release
FortiNDR 1.1 1.1 all versions Migrate to a fixed release
FortiRecorder 7.0 Not affected Not Applicable
FortiRecorder 6.4 6.4.0 through 6.4.2 Upgrade to 6.4.3 or above
FortiRecorder 6.0 6.0.0 through 6.0.11 Upgrade to 6.0.12 or above
FortiRecorder 2.7 2.7 all versions Migrate to a fixed release
FortiRecorder 2.6 2.6 all versions Migrate to a fixed release
FortiSwitch 7.2 Not affected Not Applicable
FortiSwitch 7.0 7.0.0 through 7.0.4 Upgrade to 7.0.5 or above
FortiSwitch 6.4 6.4.0 through 6.4.10 Upgrade to 6.4.11 or above
FortiSwitch 6.2 6.2 all versions Migrate to a fixed release
FortiSwitch 6.0 6.0 all versions Migrate to a fixed release
FortiVoice 7.0 Not affected Not Applicable
FortiVoice 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiVoice 6.0 6.0.0 through 6.0.11 Upgrade to 6.0.12 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2023-12-11: Initial publication