CVE-2021-41013 — Incorrect Authorization in Fortinet Fortiweb

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.5%

top 34.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortiweb

Timeline

PublishedDec 8

Latest updateDec 9

Description

An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortiweb6.3.0 — 6.3.15+2

▶CVEListV5fortinet/fortinet_fortiwebFortiWeb 6.4.1, 6.4.0, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.1, 6.3.0

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-78rc-hmp8-p646: An improper access control vulnerability [CWE-284] in FortiWeb versions 6↗2021-12-09

▶

CVEList

CVE-2021-41013: An improper access control vulnerability [CWE-284] in FortiWeb versions 6↗2021-12-08

▶

📋Vendor Advisories

Fortinet

An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Repo...↗2021-12-08

▶