=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN327

_____________________________________________________________________

DATE                : 14/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiWeb versions prior to
                                     7.2.2, 7.0.7.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-23-068
_____________________________________________________________________


FortiWeb - Insufficient protections against XSS and CSRF


Summary

A protection mechanism failure [CWE-693] vulnerability in FortiWeb
may allow an attacker to bypass XSS and CSRF protections.


Affected Products

FortiWeb version 7.2.0 through 7.2.1
FortiWeb version 7.0.0 through 7.0.6
FortiWeb 6.4 all versions
FortiWeb 6.3 all versions


Solutions
Please upgrade to FortiWeb version 7.2.2 or above
Please upgrade to FortiWeb version 7.0.7 or above


Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of
Fortinet Product Security team.


Timeline
2023-09-05: Initial publication



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================