PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

An information disclosure vulnerability in FortiWeb's Web Vulnerability Scan profile may allow a remote authenticated atta...

FortiWeb 6.3.4, 6.3.3, 6.3.2
Apr 06, 2021 Risk IR Number: FG-IR-20-076 CVE-2020-15942
An Improper Neutralization of Input During Web Page Generation in the SSL VPN portal of FortiProxy may allow an unauthenti...

FortiProxy 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
Mar 02, 2021 Risk IR Number: FG-IR-20-230 CVE-2018-13380
A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy SSL VPN may allow an attacker to retrieve a...

FortiProxy 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
Mar 02, 2021 Risk IR Number: FG-IR-20-224 CVE-2019-17655
An improper access control vulnerability in FortiProxy SSL VPN portal may allow an authenticated, remote attacker to acces...

FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
Mar 02, 2021 Risk IR Number: FG-IR-20-235 CVE-2021-22128
A cleartext storage of sensitive information vulnerability in FortiProxy command line interface may allow an authenticated...

FortiProxy 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
Mar 02, 2021 Risk IR Number: FG-IR-20-236 CVE-2020-6648
An improper neutralization of input vulnerability in FortiGate Cloud may allow a remote authenticated attacker to perform ...

Feb 24, 2021 Risk IR Number: FG-IR-20-193
An improper neutralization of input during web page generation in FortiWeb GUI interface may allow an unauthenticated, rem...

FortiWeb 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.1, 6.3.0, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Feb 03, 2021 Risk IR Number: FG-IR-20-122 CVE-2021-22122
A buffer overflow vulnerability in the SSL VPN portal of FortiProxy may allow an unauthenticated, remote attacker to perfo...

Feb 03, 2021 Risk IR Number: FG-IR-20-232 CVE-2018-13381
A heap buffer overflow vulnerability in the FortiProxy SSL VPN web portal may cause the SSL VPN web service termination fo...

Feb 03, 2021 Risk IR Number: FG-IR-20-229 CVE-2018-13383
When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate on port 80/443, it is not redirected to t...

FortiOS 6.2.4
Jan 21, 2021 Risk IR Number: FG-IR-20-172 CVE-2020-15938
An insufficient session expiration vulnerability in FortiIsolator may allow an attacker to reuse the unexpired admin user ...

FortiIsolator 2.0.0
Jan 21, 2021 Risk IR Number: FG-IR-20-011 CVE-2020-6649
An exposure of sensitive information to an unauthorized actor vulnerability in FortiGate may allow a remote authenticated ...

FortiOS 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.10, 6.0.1, 6.0.0
Jan 04, 2021 Risk IR Number: FG-IR-20-103 CVE-2020-29010
A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary...

Jan 04, 2021 Risk IR Number: FG-IR-20-124 CVE-2020-29015
A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the con...

Jan 04, 2021 Risk IR Number: FG-IR-20-125 CVE-2020-29016
A stack-based buffer overflow vulnerability in FortiWeb may allow a remote, unauthenticated attacker to crash the httpd da...

Jan 04, 2021 Risk IR Number: FG-IR-20-126 CVE-2020-29019