Fortinet Family (FortiClientEMS, FortiManager) Security Update Recommendations
Overview
An update has been made available to address a vulnerability in Forinet. users of affected versions are advised to update to the latest version.
Affected Products
CVE-2023-48788
- FortiClientEMS versions 7.2.0 through 7.2.2
- FortiClientEMS versions 7.0.1 through 7.0.10
CVE-2023-47534
- FortiClientEMS 7.2.0 through 7.2.2 Versions
- FortiClientEMS 6.4 all versions
- FortiClientEMS 6.2 all versions
- FortiClientEMS 6.0 all versions
CVE-2023-36554
- FortiManager 7.4.0 Versions
- FortiManager 7.2.0 through 7.2.3 Versions
- FortiManager 7.0.0 through 7.0.10 Versions
- FortiManager 6.4.0 through 6.4.13 versions
- FortiManager 6.2 all versions
Resolved Vulnerabilities
SQL Injection Vulnerability in FortiClientEMS that allows unauthenticated code and command execution (CVE-2023-48788) [1]
Arbitrary command execution vulnerability due to CSV file inclusion in FortiClientEMS (CVE-2023-47534) [2]
Inadequate access control vulnerability in FortiWLM MEA for FortiManager that could allow unauthenticated code and command execution (CVE-2023-36554) [3]
Vulnerability Patches
Cve-2023-48788, cve-2023-47534
- FortiClientEMS 7.2.3 and later versions
- FortiClientEMS from 7.0.11(include) to 7.2.0(exclude)
CVE-2023-36554
- FortiManager 7.4.1 and later versions
- FortiManager from 7.2.4(include) to 7.4.0(exclude)
- FortiManager from 7.0.11(include) to 7.2.0(exclude)
- FortiManager from 6.4.14(include) to 7.0.0(exclude)
Referenced Sites
[1] Pervasive SQL injection in DAS component
https://www.fortiguard.com/psirt/FG-IR-24-007
[2] FortiClientEMS – CSV injection in log download feature
https://www.fortiguard.com/psirt/FG-IR-23-390
[3] FortiWLM MEA for FortiManager – improper access control in backup and restore features
https://www.fortiguard.com/psirt/FG-IR-23-103