PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

FortiWeb 5.0.2 and lower are vulnerable to cross-site scripting (CVE-2014-1955), HTTP header injection (CVE-2014-1956) and privilege...

Feb 13, 2014 Risk IR Number: FG-IR-13-009
FortiOS 5.0.5 and earlier versions contain a cross-site scripting vulnerability. The mkey parameter in the URL /firewall/schedule/recurrdlg...

Feb 03, 2014 Risk IR Number: FG-IR-14-003
Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL "/user/ldap_user/add"...

Feb 03, 2014 Risk IR Number: FG-IR-14-002
Authenticated administrative users can store injected Javascript content into a specific field on the web management interface....

Jan 17, 2014 Risk IR Number: FG-IR-14-001
Authenticated admin users may be able to obtain access to a system shell from the command line interface.

Dec 13, 2013 Risk IR Number: FG-IR-13-016
Multiple CSRF vulnerabilities exist in the FortiAnalyzer web administration console due to an error in CSRF token validation....

Nov 22, 2013 Risk IR Number: FG-IR-13-018
Multiple CSRF (Cross-Site Request Forgery) vulnerabilities exist in FortiGate because GUI pages are not protected by CSRF token....

Jul 08, 2013 Risk IR Number: FG-IR-13-014
Improper Guest User Permission Management issue exists in FortiGate.

Jun 13, 2013 Risk IR Number: FG-IR-013-004
Under certain conditions, FortiClient VPN may be susceptible to a certificate validation vulnerability which would allow an attacker...

May 13, 2013 Risk IR Number: FG-IR-13-008
Input filter bypass and exception handling vulnerabilities can be used by an attacker to hijack administrator or customer sessions...

Jan 29, 2013 Risk IR Number: FG-IR-013-001
FortiDB does not sanitize user input properly under limited circumstances. The vulnerability could allow an attacker to inject...

Dec 03, 2012 Risk IR Number: FG-IR-012-007
FortiWeb does not sanitize user input properly under limited circumstances. The vulnerability could allow an attacker to inject...

Dec 03, 2012 Risk IR Number: FG-IR-012-008
FortiWeb fails to sanitize user input. The vulnerability allows an attacker to inject script code.

Oct 25, 2012 Risk IR Number: FG-IR-012-006
FortiMail fails to sanitize user input. The vulnerability allows an attacker to bypass its input filtering routine, which could...

Oct 25, 2012 Risk IR Number: FG-IR-012-005
Vulnerability-lab.com publicly released news of discovered vulnerabilities discovered in FortiGate UTM WAF Appliances platforms.

Sep 14, 2012 Risk IR Number: FG-IR-012-004