PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

FortiWLC comes with a hardcoded account named 'core' which is used by Meru Access Points to send core dumps to the FortiWL...

Nov 09, 2016 Risk IR Number: FG-IR-16-065 CVE-2016-8491
A cross-site-scripting vulnerablity in FortiAnalyzer/FortiManager in advanced settings page could allow an administrator t...

Oct 05, 2016 Risk IR Number: FG-IR-16-051 CVE-2015-7363
The pam.log file generated by FortiWLC contains authenticated users credentials (local admin and users authenticated again...

Sep 30, 2016 Risk IR Number: FG-IR-16-030 CVE-2016-7561
FortiWLC runs a rsyncd server, historically used for High-Availability purpose. This server comes with a hardcoded account...

Sep 30, 2016 Risk IR Number: FG-IR-16-029 CVE-2016-7560
A vulnerability in FortiDDoS allows escalation of privilege via remote OS injection through crafted URLs sent to the GUI. ...

Sep 28, 2016 Risk IR Number: FG-IR-16-037
OpenSSL released an update in May 2016 to address two high and four low severity vulnerabilities.CVE-2016-2108; CVE-2016-2...

Sep 22, 2016 Risk IR Number: FG-IR-16-026 CVE-2016-2108
One of the processes in FortiClient stores VPN credentials unencrypted in memory. A malicious attacker who compromised the...

Sep 12, 2016 Risk IR Number: FG-IR-16-021
FortWan 4.2.4 and below is exposed to cross site scripting, information leak and escalation of privilege vulnerabilities.C...

Sep 07, 2016 Risk IR Number: FG-IR-16-045 CVE-2016-4965
FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerabilit...

Aug 17, 2016 Risk IR Number: FG-IR-16-023 CVE-2016-6909
Forticloud online service before May 3, 2016 was exposed to cross site scripting web vulnerabilities, which could allow ma...

Aug 09, 2016 Risk IR Number: FG-IR-16-022
A vulnerablity in FortiVoice 5.0 web-application could allow malicious script being injected in the affected module; this ...

Aug 09, 2016 Risk IR Number: FG-IR-16-020
An XSS vulnerablity in FortiManager/FortiAnalyzer could allow privileged guest user accounts and restricted user accounts ...

Aug 09, 2016 Risk IR Number: FG-IR-16-016 CVE-2016-3193
A vulnerablity in FortiManager/FortiAnalyzer address added page could allow malicious script being injected in the input f...

Aug 09, 2016 Risk IR Number: FG-IR-16-017 CVE-2016-3194
A client side XSS vulnerablity in FortiManager/FortiAnalyzer could allow malicious script being injected in the Web-UI; th...

Aug 09, 2016 Risk IR Number: FG-IR-16-015 CVE-2016-3195
When a low privileged user uploads images in the report section, the filenames are not properly sanitized; this potentiall...

Jul 14, 2016 Risk IR Number: FG-IR-16-014 CVE-2016-3196