CVE-2022-39954

CWE-611XML External Entity (XXE)4 documents4 sources
Severity
9.1CRITICAL
EPSS
0.3%
top 43.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortinacFortinet Fortinac-f
Timeline
PublishedFeb 16

Description

An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

NVDfortinet/fortinac9.4.09.4.2+1
NVDfortinet/fortinac-f< 7.2.0
CVEListV5fortinet/fortinac9.4.09.4.1+7

🔴Vulnerability Details

2
GHSA
GHSA-6g49-f785-8862: An improper restriction of xml external entity reference in Fortinet FortiNAC version 92023-02-16
CVEList
CVE-2022-39954: An improper restriction of xml external entity reference in Fortinet FortiNAC version 92023-02-16

📋Vendor Advisories

1
Fortinet
An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC vers...2023-02-16
CVE-2022-39954 (CRITICAL CVSS 9.1) | An improper restriction of xml exte | cvebase.io