PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy autod daemon may allow an authenticated low-p...

FortiOS 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-20-131 CVE-2021-26110
An improper access control vulnerability [CWE-284] in FortiWLC may allow an authenticated and remote attacker with low pri...

FortiWLC 8.6.1, 8.6.0, 8.5.5, 8.5.4, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.8, 8.4.7, 8.4.6, 8.4.5, 8.4.4, 8.4.2, 8.4.1, 8.4.0, 8.3.3, 8.3.2, 8.3.1, 8.3.0, 8.2.7, 8.2.6, 8.2.5, 8.2.4, 8.1.3, 8.1.2, 8.0.6, 8.0.5
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-200 CVE-2021-42758
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiWLM...

FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-129 CVE-2021-42760
Multiple heap-based buffer overflow vulnerabilities [CWE-122] in web API controllers of FortiWeb may allow a remote authen...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-160 CVE-2021-41017
An uncontrolled resource consumption vulnerability [CWE-400] in FortiWeb may allow an unauthenticated attacker to cause a ...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-131 CVE-2021-41014
Multiple improper neutralization of special elements used in a command vulnerabilities [CWE-77] in FortiWeb management int...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.2, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-120 CVE-2021-36180
Multiple relative path traversal vulnerabilities [CWE-23] in the API of FortiWeb may allow an authenticated attacker to re...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-156 CVE-2021-41026
Multiple stack-based buffer overflows [CWE-121] in the API controllers of FortiWeb may allow an authenticated attacker to ...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-152 CVE-2021-36194
A heap-based buffer overflow [CWE-122] vulnerability in FortiWeb may allow an authenticated attacker to execute arbitrary ...

FortiWeb 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.16, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Dec 07, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-188 CVE-2021-43071
An unsafe search path vulnerability  in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack atta...

FortiClientEMS 7.0.0, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.8, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0 FortiClientWindows 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.10, 6.0.1, 6.0.0
Nov 29, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-088 CVE-2021-32592
An improper authorization vulnerability [CWE-285] in FortiClient for Windows may allow a local unprivileged attacker to es...

FortiClientWindows 7.0.1, 7.0.0, 6.4.2, 6.4.1, 6.4.0
Nov 02, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-20-079 CVE-2021-36183
An improper privilege management vulnerability [CWE-269] in the FortiSIEM Windows Agent may allow an authenticated user to...

FortiSIEMWindowsAgent 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1.0, 4.0.1, 4.0.0, 3.3.1, 3.3.0, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.3, 3.1.2, 3.1.0
Nov 02, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-176 CVE-2021-41022
An improper neutralization of special elements used in an OS command vulnerability ('OS Command Injection') [CWE-78] in Fo...

FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Nov 02, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-110 CVE-2021-36185
An improper neutralization of special elements [CWE-79] used in an SQL command vulnerability ('SQL Injection') [CWE-89] in...

FortiWLM 8.6.1, 8.6.0, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.4.2, 8.4.1, 8.4.0, 8.3.2, 8.3.1, 8.3.0, 8.2.2
Nov 02, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-107 CVE-2021-36184
A stack-based buffer overflow [CWE-121] vulnerability in FortiWeb may allow an unauthenticated attacker to overwrite the c...

FortiWeb 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Nov 02, 2021 Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo High IR Number: FG-IR-21-119 CVE-2021-36186