Improper Privilege Management in Fortinet FortiSandbox and FortiDeceptor
CVE-2022-27487

8.3HIGH

Key Information:

Vendor: Fortinet
Status: Fortideceptor; Fortisandbox
Vendor: CVE Published:; 11 April 2023

Summary

The vulnerability identified in Fortinet's FortiSandbox and FortiDeceptor products exposes them to the risk of unauthorized API calls. Remote authenticated attackers can exploit this weakness by sending carefully crafted HTTP or HTTPS requests. This flaw could lead to significant security concerns, as it undermines the integrity of the permission mechanisms, potentially allowing unauthorized actions within the affected systems.

Affected Version(s)

FortiDeceptor 4.1.0

FortiDeceptor 4.0.0 <= 4.0.2

FortiDeceptor 3.3.0 <= 3.3.3

References

https://fortiguard.com/psirt/FG-IR-22-056

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Mar 21, 2022

Collectors

NVD DatabaseMitre Database