ADVISORIES | July 25, 2024

IOActive Security Advisory | Fortinet FortiGate – Cross-site Scripting in SSL VPN

Affected Products

Version Affected
FortiOS 7.4 7.4.0 through 7.4.3
FortiOS 7.2 7.2.0 through 7.2.7
FortiOS 7.0 7.0.0 through 7.0.13
FortiOS 6.4 6.4 all versions
FortiProxy 7.4 7.4.0 through 7.4.3
FortiProxy 7.2 7.2.0 through 7.2.9
FortiProxy 7.0 7.0.0 through 7.0.16


Background

Fortinet, Inc. (Fortinet) is a global leader of cybersecurity solutions and services that provides protection against cyber threats. It is a company that develops and sells security products and solutions, such as firewalls, endpoint security, intrusion prevention systems, web filtering, antivirus, sandbox, and VPN.

FortiGate is a network security device that provides protection against cyber threats. The device can perform various functions, such as, firewall, intrusion prevention system, web content filtering, antivirus, sandbox and VPN and is part of the Fortinet Security Fabric, which integrates different security products and services into a unified and automated platform.


Timeline

  • 2023-11-16: IOActive discovers the vulnerability
  • 2023-11-22: IOActive informs Fortinet about the identified vulnerability
  • 2024-01-12: Fortinet acknowledges the issue
  • 2024-04-26: CVE ID pre-reserved by Fortinet
  • 2024-07-10: Advisory published by Fortinet
  • 2024-07-25: IOActive advisory published