Refine
RESET


Filter by Date:
switch-off-logo All
Filter by Severity Level:
switch-on-logo All
switch-off-logo Critical light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo (2)
switch-off-logo High light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo (17)
switch-off-logo Medium light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo (20)
switch-off-logo Low light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo (2)
switch-off-logo Informational light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo (0)
Filter by Affected Product:
switch-on-logo All

PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

FortiOS - Heap-based Buffer Overflow in firmware signature verification
A heap-based buffer overflow [CWE-122] in the firmware signature verification function of FortiOS may allow an attacker to...
FortiOS 7.0.1, 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-115 CVE-2021-36173
FortiOS - Integer overflow in SSLVPN allocator
An integer overflow or wraparound vulnerability [CWE-190] in FortiOS SSLVPN memory allocator may allow an unauthenticated ...
FortiOS 7.0.0, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-049 CVE-2021-26109
FortiOS - Removal of `restore src-vis` command.
A download of code without integrity check vulnerability [CWE-494] in the "execute restore src-vis" command of FortiOS may...
FortiOS 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.15, 5.2.14, 5.2.13, 5.2.12, 5.2.11, 5.2.10, 5.2.1, 5.2.0, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.14, 5.0.13, 5.0.12, 5.0.11, 5.0.10, 5.0.1, 5.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Low IR Number: FG-IR-21-201 CVE-2021-44168
FortiOS and FortiProxy - Privilege escalation vulnerability using the automation script feature
An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy autod daemon may allow an authenticated low-p...
FortiOS 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-20-131 CVE-2021-26110
FortiSandbox, FortiWeb, FortiADC, FortiMail - Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise
A missing cryptographic steps vulnerability [CWE-325] in the function that encrypts users' LDAP and RADIUS credentials in ...
FortiADC 6.2.0, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.3, 6.0.2, 6.0.1, 6.0.0 FortiSandbox 3.2.2, 3.2.1, 3.2.0 FortiWeb 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-20-222 CVE-2021-32591
FortiWLC - Improper authenticated access control
An improper access control vulnerability [CWE-284] in FortiWLC may allow an authenticated and remote attacker with low pri...
FortiWLC 8.6.1, 8.6.0, 8.5.5, 8.5.4, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.8, 8.4.7, 8.4.6, 8.4.5, 8.4.4, 8.4.2, 8.4.1, 8.4.0, 8.3.3, 8.3.2, 8.3.1, 8.3.0, 8.2.7, 8.2.6, 8.2.5, 8.2.4, 8.1.3, 8.1.2, 8.0.6, 8.0.5
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-200 CVE-2021-42758
FortiWLM - SQL Injection in script handlers
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiWLM...
FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-129 CVE-2021-42760
FortiWLM - reflected cross-site scripting vulnerability in cgi_bin handlers
An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability  [CWE-79] in FortiWL...
FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-21-111 CVE-2021-42752
FortiWLM - stored cross-site scripting in hotspot profile controller
An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiWLM...
FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-21-114 CVE-2021-41029
FortiWeb - Confused deputy issue on SERVER_NAME causes open proxy flaw
An unintended proxy or intermediary ('Confused Deputy') [CWE-441] in FortiWeb may allow an authenticated attacker to use t...
FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-21-123 CVE-2021-36190
FortiWeb - Heap-based buffer overflows in API controller
Multiple heap-based buffer overflow vulnerabilities [CWE-122] in web API controllers of FortiWeb may allow a remote authen...
FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-160 CVE-2021-41017
FortiWeb - Incorrect handling of large requests leads to denial of service
An uncontrolled resource consumption vulnerability [CWE-400] in FortiWeb may allow an unauthenticated attacker to cause a ...
FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-131 CVE-2021-41014
FortiWeb - Multiple command injection vulnerabilities
Multiple command injection vulnerabilities [CWE-78] in the command line interpreter of FortiWeb may allow an authenticated...
FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-21-157 CVE-2021-36195
FortiWeb - Multiple vulnerabilities in the authentication mechanism of confd
Multiple vulnerabilities in the authentication mechanism of FortiWeb's confd, including an instance of concurrent executio...
FortiWeb 6.4.2, 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium IR Number: FG-IR-21-130 CVE-2021-41025
FortiWeb - OS command injection
Multiple improper neutralization of special elements used in a command vulnerabilities [CWE-77] in FortiWeb management int...
FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.2, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-120 CVE-2021-36180