PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

An information disclosure vulnerability [CWE-200] in FortiAnalyzer and FortiManager VM may allow an authenticated attacker...

FortiManager 7.0.0, 6.4.6 FortiAnalyzer 7.0.0, 6.4.6
Oct 05, 2021 Risk IR Number: FG-IR-21-112 CVE-2021-36170
An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer may allow a remote authenticated attacker to p...

FortiAnalyzer 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.10, 6.0.1, 6.0.0
Oct 05, 2021 Risk IR Number: FG-IR-20-098 CVE-2021-24021
A path traversal vulnerability [CWE-22] in FortiClientEMS may allow an authenticated attacker to inject directory traversa...

FortiClientEMS 6.4.1, 6.4.0, 6.2.8, 6.2.7, 6.2.6, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Oct 05, 2021 Risk IR Number: FG-IR-20-074 CVE-2020-15941
An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS may allow an attacker to reuse the unexpired...

FortiClientEMS
Oct 05, 2021 Risk IR Number: FG-IR-20-072 CVE-2021-24019
An insufficiently protected credentials vulnerability [CWE-522] in FortiSDNConnector may allow an authenticated user to ob...

FortiSDNConnector 1.1.7, 1.1.6, 1.1.5, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.0
Oct 05, 2021 Risk IR Number: FG-IR-20-183 CVE-2021-36178
A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox may allow an authenticated att...

FortiSandbox 3.2.2, 3.1.4
Oct 05, 2021 Risk IR Number: FG-IR-20-234 CVE-2021-26105
An improper neutralization of input vulnerability [CWE-79] in FortiWebManager may allow a remote authenticated attacker to...

FortiWebManager 6.0.2
Oct 05, 2021 Risk IR Number: FG-IR-20-027 CVE-2021-36175
An improper neutralization of special elements used in an OS command vulnerability [CWE-78]  in the command line interpret...

FortiAuthenticator 6.3.0, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.5.0, 5.4.1, 5.4.0, 5.3.1, 5.3.0, 5.2.2, 5.2.1, 5.2.0, 5.1.2, 5.1.1, 5.1.0, 5.0.0
Sep 07, 2021 Risk IR Number: FG-IR-21-068 CVE-2021-26116
An OS command injection (CWE-78) vulnerability in FortiClient for Linux may allow an unauthenticated, network-adjacent att...

FortiClientLinux
Sep 07, 2021 Risk IR Number: FG-IR-20-241 CVE-2021-22127
An improper authentication vulnerability [CWE-287] in FortiManager may allow a standard user to assign or un-assign a glob...

FortiManager 6.4.3, 6.2.6
Sep 07, 2021 Risk IR Number: FG-IR-20-189 CVE-2021-24017
An improper neutralization of formula elements vulnerability (CWE 1236) in FortiManager may allow a local authenticated pr...

FortiManager 6.4.3, 6.2.7
Sep 07, 2021 Risk IR Number: FG-IR-20-190 CVE-2021-24016
An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS CLI may allow a local and authentic...

FortiOS 7.0.0, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0
Sep 07, 2021 Risk IR Number: FG-IR-20-243 CVE-2021-32600
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS may allow a remote unauth...

FortiOS 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Sep 07, 2021 Risk IR Number: FG-IR-19-301 CVE-2019-16151
A debug functionality in FortiGate may allow a privileged user to execute unauthorized code or commands via specific chai...

FortiOS 7.0.0, 6.4.6, 6.2.9
Sep 07, 2021 Risk IR Number: FG-IR-21-091 CVE-2021-36169
A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN may allow an attacker to retrieve a lo...

FortiOS 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.15, 5.2.14, 5.2.13, 5.2.12, 5.2.11, 5.2.10, 5.2.1, 5.2.0
Sep 07, 2021 Risk IR Number: FG-IR-19-217 CVE-2019-17655