PSIRT Advisories

Monthly PSIRT Advisories

2023: Jan
2022: Dec , Nov , Sep , Aug , Jul , Jun , May , Apr , Mar , Feb
2021: Dec , Nov , Oct , Sep , Aug , Jul , Jun , May , Apr , Mar , Feb , Jan
2020: Dec

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

FortiSOAR - Path traversal vulnerabilities in the web API

Multiple relative path traversal vulnerabilities [CWE-23] in the web API of FortiSOAR may allow an authenticated attacker ...

FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0

Sep 06, 2022 Severity black-background-circle-icon

Medium IR Number: FG-IR-22-154 CVE-2022-29062

FortiSOAR - Privilege escalation from nginx user to root

An improper privilege management vulnerability [CWE-269] in FortiSOAR may allow a GUI user who has already found a way to ...

FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0

Sep 06, 2022 Severity black-background-circle-icon

Medium IR Number: FG-IR-22-152 CVE-2022-30298

FortiSOAR - Server-Side Template Injection in Playbook component

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management ...

FortiSOAR 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0

Sep 06, 2022 Severity black-background-circle-icon

Medium IR Number: FG-IR-22-306 CVE-2022-35847

FortiWeb - SQL Injection in delete filter component

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb...

FortiWeb 7.0.1, 7.0.0, 6.4.2, 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.21, 6.3.20, 6.3.2, 6.3.19, 6.3.18, 6.3.17, 6.3.16, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3

Sep 06, 2022 Severity black-background-circle-icon

Low IR Number: FG-IR-22-140 CVE-2022-29059

FortiADC - Unverified password change over the GUI

An unverified password change vulnerability [CWE-620] in FortiADC may allow an authenticated attacker to bypass the Old Pa...

FortiADC 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.6, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0

Aug 02, 2022 Severity black-background-circle-icon

Medium IR Number: FG-IR-22-055 CVE-2022-27484

FortiOS -- Inter-VDOM information leaking

An improper access control vulnerability [CWE-284] in FortiOS may allow an authenticated attacker with a restricted user p...

FortiOS 6.2.0, 6.2.1, 6.2.10, 6.2.11, 6.2.12, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5

Aug 02, 2022 Severity black-background-circle-icon

Medium IR Number: FG-IR-22-036 CVE-2022-23442

FortiOS, FortiProxy, FortiADC and FortiMail - Format string vulnerability in command line interpreter

A format string vulnerability [CWE-134] in the command line interpreter of FortiOS, FortiProxy, FortiADC, and FortiMail ma...

FortiOS-6K7K 6.4.6, 6.4.2, 6.2.9, 6.2.7, 6.2.6, 6.2.4, 6.2.12, 6.2.11, 6.2.10, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.10 FortiADC 6.2.1, 6.2.0, 6.1.6, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0 FortiMail 7.0.2, 7.0.1, 7.0.0, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0 FortiOS 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.15, 5.2.14, 5.2.13, 5.2.12, 5.2.11, 5.2.10, 5.2.1, 5.2.0, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.14, 5.0.13, 5.0.12, 5.0.11, 5.0.10, 5.0.1, 5.0.0 FortiProxy 7.0.1, 7.0.0, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.13, 1.2.12, 1.2.11, 1.2.10, 1.2.1, 1.2.0, 1.1.6, 1.1.5, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.7, 1.0.6, 1.0.5, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0

Aug 02, 2022 Severity black-background-circle-icon

High IR Number: FG-IR-21-235 CVE-2022-22299

FortiADC - Multiple SQL Injection vulnerabilities in the management interface

Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in ...

FortiADC 7.0.1, 7.0.0, 6.2.2, 6.2.1, 6.2.0, 6.1.6, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0