Improper XML External Entity Handling in Fortinet FortiNAC
CVE-2022-39954

6.9MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinac
Vendor: CVE Published:; 16 February 2023

What is CVE-2022-39954?

Fortinet FortiNAC is susceptible to an improper restriction of XML external entity references, impacting various versions. This vulnerability enables attackers to exploit crafted XML documents to either read arbitrary files from the affected server or induce a denial of service. The flaw exists across multiple versions, affecting user environments where FortiNAC is deployed, thereby opening avenues for potential data breaches and service interruptions.

Affected Version(s)

FortiNAC 9.4.0 <= 9.4.1

FortiNAC 9.2.0 <= 9.2.7

FortiNAC 9.1.0 <= 9.1.8

References

https://fortiguard.com/psirt/FG-IR-22-304

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2023
Vulnerability Reserved
Sep 5, 2022