CVE-2024-23666Client-Side Enforcement of Server-Side Security in Fortinet Fortianalyzer

CWE-602Client-Side Enforcement of Server-Side Security4 documents4 sources
Severity
8.8HIGHNVD
CNA7.5
EPSS
10.3%
top 6.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fortinet FortianalyzerFortinet Fortianalyzer BIG DataFortinet Fortimanager
Timeline
PublishedNov 12

Description

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14 allows attacker to improper access control via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

NVDfortinet/fortianalyzer_big_data6.2.17.2.7+1
NVDfortinet/fortianalyzer6.4.06.4.15+3
CVEListV5fortinet/fortianalyzer7.4.07.4.1+3
NVDfortinet/fortimanager6.4.06.4.15+3
CVEListV5fortinet/fortimanager7.4.07.4.1+3

🔴Vulnerability Details

2
GHSA
GHSA-jwm4-jq46-9g26: A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 72024-11-12
CVEList
CVE-2024-23666: A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 72024-11-12

📋Vendor Advisories

1
Fortinet
Readonly users could run some sensitive operations2024-11-12
CVE-2024-23666 — Fortinet Fortianalyzer vulnerability | cvebase