CVE-2023-41677 — Insufficiently Protected Credentials in Fortinet Fortios

CWE-522 — Insufficiently Protected Credentials4 documents4 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.2%

top 52.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedApr 9

Description

A insufficiently protected credentials in Fortinet FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17 allows attacker to execute unauthorized code or commands via targeted social engineering attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDfortinet/fortios6.0.0 — 6.2.16+4

▶NVDfortinet/fortiproxy1.0.0 — 7.0.14+2

▶CVEListV5fortinet/fortios7.4.0 — 7.4.1+5

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.1+6

🔴Vulnerability Details

CVEList

CVE-2023-41677: A insufficiently protected credentials in Fortinet FortiProxy 7↗2024-04-09

▶

GHSA

GHSA-hx3x-jq5m-p7xj: A insufficiently protected credentials in Fortinet FortiProxy 7↗2024-04-09

▶

📋Vendor Advisories

Fortinet

Administrator cookie leakage↗2024-04-09

▶