CVE-2023-36638

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.
References
Link Resource
https://fortiguard.com/psirt/FG-IR-22-522 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*

History

15 Sep 2023, 15:13

Type Values Removed Values Added
First Time Fortinet fortianalyzer
Fortinet fortimanager
Fortinet
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
References (MISC) https://fortiguard.com/psirt/FG-IR-22-522 - (MISC) https://fortiguard.com/psirt/FG-IR-22-522 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3

13 Sep 2023, 13:57

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-13 13:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-36638

Mitre link : CVE-2023-36638

CVE.ORG link : CVE-2023-36638


JSON object : View

Products Affected

fortinet

  • fortimanager
  • fortianalyzer
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control