CVE-2024-36509 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Fortinet Fortiweb

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere4 documents4 sources

Severity

4.4MEDIUMNVD

CNA4.2

EPSS

0.0%

top 85.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb

Timeline

PublishedNov 12

Description

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

▶NVDfortinet/fortiweb6.3.0 — 7.4.4+1

▶CVEListV5fortinet/fortiweb7.4.0 — 7.4.3+4

🔴Vulnerability Details

GHSA

GHSA-cgpx-r229-qpvj: An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7↗2024-11-12

▶

CVEList

CVE-2024-36509: An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7↗2024-11-12

▶

📋Vendor Advisories

Fortinet

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb versio...↗2024-11-12

▶