PSIRT Advisory

Multiple CSRF Vulnerabilities in FortiGate

Summary

This field is not shown on advisory.The issue is tracked in Mantis 158276, 204901

Description

Multiple CSRF (Cross-Site Request Forgery) vulnerabilities exist in FortiGate because GUI pages are not protected by CSRF token. It could allow remote attackers to hijack the authentication of arbitrary users under certain conditions.

Impact

Security Bypass

Affected Products

FortiGates running FortiOS 4.3.12 and prior versions, FortiGates running FortiOS 5.0.2 and prior versions

Solutions

Upgrade FortiGates to FortiOS version 4.3.13 or 5.0.3.