Saturday, December 9, 2023

Fortinet FortiOS Flaw Let Attacker Execute Malicious JavaScript Code

By Eswar

Fortinet FortiOS has been discovered with Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities, which threat actors can use for malicious purposes.

These vulnerabilities have been given the CVE IDs CVE-2023-29183 and CVE-2023-34984. The severity of these vulnerabilities has been categorized as CVE-2023-29183 – 5.4 (Medium) and CVE-2023-34984 – 8.8 (High) by NVD.

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Cross-Site Scripting (XSS): CVE-2023-29183

This vulnerability exists due to improper input neutralization during web page generation, which could allow an authenticated attacker to execute a malicious JavaScript code through a crafted guest management setting.

Fortinet has given the severity for this vulnerability as 7.3 (High). 

Affected Products and fixed in version

ProductAffected VersionFixed in Version
FortiProxy7.2.0 through 7.2.47.0.0 through 7.0.107.2.5 or above7.0.11 or above
FortiOS7.2.0 through 7.2.4,7.0.0 through 7.0.11,6.4.0 through 6.4.12,6.2.0 through 6.2.147.4.0 or above7.2.5 or above7.0.12 or above6.4.13 or above6.2.15 or above

Cross-Site Request Forgery (CSRF): CVE-2023-34984

This vulnerability exists due to a failure in the protection mechanism in FortiWeb, which could allow a threat actor to bypass CSRF and XSS protections. The severity for this vulnerability has been given as 8.8 (High).

Two security advisories have been published by Fortiguard, which provide detailed information regarding the component affected and other information.

Affected Products and fixed in version

ProductAffected VersionFixed in Version
FortiWeb7.2.0 through 7.2.17.0.0 through 7.0.66.4 all versions6.3 all versions7.2.2 or above7.0.7 or above

Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited by threat actors.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Managed WAF Protection

Website

Latest articles

Cyber Security News

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress...
Cyber Attack

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email...
cyber security

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...
cyber security

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...
cyber security

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...
cyber security

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...
cyber security

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Register Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

[email protected]