CVE-2020-15942 — Insufficiently Protected Credentials in Fortinet Fortiweb

CWE-522 — Insufficiently Protected Credentials CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.1%

top 64.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortiweb

Timeline

PublishedApr 12

Latest updateMay 24

Description

An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDfortinet/fortiweb6.2.0 — 6.2.3+1

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.3.4, 6.2.3

🔴Vulnerability Details

GHSA

GHSA-33m4-frvp-3wr7: An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6↗2022-05-24

▶

CVEList

CVE-2020-15942: An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6↗2021-04-12

▶

📋Vendor Advisories

Fortinet

An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2...↗2021-04-12

▶