CVE-2023-36638 — Improper Access Control in Fortinet Fortianalyzer

CWE-284 — Improper Access Control4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 67.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedSep 13

Description

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDfortinet/fortimanager6.4.0 — 6.4.12+2

▶NVDfortinet/fortianalyzer6.0.0 — 6.4.12+2

▶CVEListV5fortinet/fortimanager7.2.0 — 7.2.2+4

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.2+4

🔴Vulnerability Details

CVEList

CVE-2023-36638: An improper privilege management vulnerability [CWE-269] in FortiManager 7↗2023-09-13

▶

GHSA

GHSA-65fg-v8cp-9qvc: An improper privilege management vulnerability [CWE-269] in FortiManager 7↗2023-09-13

▶

📋Vendor Advisories

Fortinet

Improper privilege management on API requests↗2023-09-13

▶