CVE-2021-26103

Name of the Vulnerable Software and Affected Versions FortiProxy versions 2.0.3 and below, 1.2.11 and below FortiGate versions 7.0.0, 6.4.6 and below, 6.2.9 and below

Description An insufficient verification of data authenticity vulnerability in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack. Only SSL VPN in web mode or full mode are impacted by this vulnerability.

Recommendations For FortiProxy versions 2.0.3 and below, consider disabling the SSL VPN portal in web mode or full mode until a patch is available. For FortiProxy version 1.2.11 and below, consider disabling the SSL VPN portal in web mode or full mode until a patch is available. For FortiGate versions 7.0.0, 6.4.6 and below, 6.2.9 and below, consider disabling the SSL VPN portal in web mode or full mode until a patch is available. As a temporary workaround, restrict access to the SSL VPN portal to minimize the risk of exploitation.