CVE-2023-22636 — Improper Authorization in Fortinet Fortiweb

CWE-285 — Improper Authorization4 documents4 sources

Severity

3.3LOWNVD

CNA7.0

EPSS

0.0%

top 93.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb

Timeline

PublishedFeb 27

Description

An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http request.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5fortinet/fortiweb7.0.0 — 7.0.4+2

▶NVDfortinet/fortiweb6.3.6 — 6.3.21+2

🔴Vulnerability Details

CVEList

CVE-2023-22636: An unauthorized configuration download vulnerability in FortiWeb 6↗2023-02-27

▶

GHSA

GHSA-r8gh-fx77-763f: An unauthorized configuration download vulnerability in FortiWeb 6↗2023-02-27

▶

📋Vendor Advisories

Fortinet

An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 thr...↗2023-02-27

▶