PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

There exists a reflected cross-site scripting (XSS) vulnerability on FortiMail customized pre-authentication webmail login page,...

Oct 13, 2017 Risk IR Number: FG-IR-17-099
Multiple Remote Code Execution vulnerabilities (CVE-2017-9805, CVE-2017-9804, CVE-2017-9793) are affecting Apache Struts.

Sep 29, 2017 Risk IR Number: FG-IR-17-205
The FortiOS IKE packets which include the Vendor ID embed the FortiOS build version number.

Aug 11, 2017 Risk IR Number: FG-IR-17-073
The HTML source code of the FortiWeb SNMPv3 user edit webui page includes the user's password in cleartext.

Aug 11, 2017 Risk IR Number: FG-IR-17-162
Three XSS vulnerabilities one via the the filter input in "Applications" under FortiView (CVE-2017-3131)the second via the action...

Jul 28, 2017 Risk IR Number: FG-IR-17-104
The LibGD project released advisories on January 18th, 2017, July 22nd, 2016 and June 25th, 2016 describing 12 vulnerabilities,...

Jul 26, 2017 Risk IR Number: FG-IR-17-051
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller....

Jun 30, 2017 Risk IR Number: FG-IR-17-115
Two XSS vulnerabilities were reported to us affecting FortiOS that can be exploited to load and run a remote (malicious) Javascript...

Jun 15, 2017 Risk IR Number: FG-IR-17-127
FortiOS is subject to a Cross-Site Scripting vulnerability,  due to an improperly sanitized parameter in a hidden CLI configuration...

May 17, 2017 Risk IR Number: FG-IR-17-057
Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access...

May 15, 2017 Risk IR Number: FG-IR-17-114
The FortiAnalyzer and FortiManager WebUI accept a user-controlled input that specifies a link to an external site, and uses that...

Apr 26, 2017 Risk IR Number: FG-IR-17-014
An XSS vulnerability caused by the scrintf parameter input during Firewall Policy Creation can be exploited to load and run a...

Apr 19, 2017 Risk IR Number: FG-IR-17-017
The Site Publisher functionality of FortiWeb has been found vulnerable to a Cross-Site Scripting vulnerability via an improperly...

Apr 19, 2017 Risk IR Number: FG-IR-17-076
The lack of input sanitisation for CLI command 'copy running-config' allows a user with 'admin' or 'superuser' privilege level...

Apr 12, 2017 Risk IR Number: FG-IR-17-097
A race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel may allow local users to obtain sensitive...

Apr 05, 2017 Risk IR Number: FG-IR-16-013