CVE-2022-27488

CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

8.8HIGH

EPSS

0.4%

top 36.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail Fortinet Fortindr Fortinet Fortirecorder +3 more

Timeline

PublishedDec 13

Description

A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:HExploitability: 2.8 | Impact: 5.5

Affected Packages11 packages

▶CVEListV5fortinet/fortindr7.0.0 — 7.0.4+6

▶NVDfortinet/fortindr7.0.0 — 7.0.4+1

▶CVEListV5fortinet/fortimail7.0.0 — 7.0.3+3

▶NVDfortinet/fortimail6.0.0 — 6.0.12+3

▶CVEListV5fortinet/fortiswitch7.0.0 — 7.0.4+3

🔴Vulnerability Details

CVEList

CVE-2022-27488: A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6↗2023-12-13

▶

GHSA

GHSA-qvxv-pfwq-9h5h: A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6↗2023-12-13

▶

📋Vendor Advisories

Fortinet

Cross-site scripting forgery (CSRF) in HTTPd CLI console↗2023-12-13

▶