CVE-2023-36635

CWE-284Improper Access Control4 documents4 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 71.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortiswitchmanager
Timeline
PublishedSep 7

Description

An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2 7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5fortinet/fortiswitchmanager7.2.07.2.2+1
NVDfortinet/fortiswitchmanager5 versions+4

🔴Vulnerability Details

2
CVEList
CVE-2023-36635: An improper access control in Fortinet FortiSwitchManager version 72023-09-07
GHSA
GHSA-h8ww-c8wr-cp22: An improper access control in Fortinet FortiSwitchManager version 72023-09-07

📋Vendor Advisories

1
Fortinet
Read-Only users able to add/modify the Interface fields using the API2022-11-02
CVE-2023-36635 (MEDIUM CVSS 4.3) | An improper access control in Forti | cvebase.io