An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortiproxy | Fortinet | 1.2.0 (including) | 1.2.11 (including) |
| Fortiproxy | Fortinet | 2.0.0 (including) | 2.0.3 (including) |
| Fortios | Fortinet | 5.6.0 (including) | 5.6.14 (including) |
| Fortios | Fortinet | 6.0.0 (including) | 6.0.13 (including) |
| Fortios | Fortinet | 6.2.0 (including) | 6.2.9 (including) |
| Fortios | Fortinet | 6.4.0 (including) | 6.4.6 (including) |
| Fortios | Fortinet | 7.0.0 (including) | 7.0.0 (including) |