FortiManager Vulnerability Allows Privileged Attacker to Execute Unauthorized Code
CVE-2023-41842

6.3MEDIUM

Key Information:

Vendor
Fortinet
Status
Fortimanager
Fortianalyzer
Fortiportal
Vendor
CVE Published:
12 March 2024

Summary

A vulnerability exists in multiple Fortinet products due to a use of externally-controlled format string, exposing the system to potential unauthorized code execution. This flaw allows a privileged attacker to inject specially crafted command arguments that could lead to execution of arbitrary code in the context of the affected application. The vulnerability affects FortiManager versions 7.4.0 to 7.4.1, 7.2.0 to 7.2.3, and versions prior to 7.0.10, as well as FortiAnalyzer in similar version ranges. Additionally, it impacts FortiAnalyzer-BigData versions prior to 7.2.5, and all versions of FortiPortal version 6.0 and 5.3. Users and administrators are urged to update their affected products to the patched versions to mitigate potential risks.

Affected Version(s)

FortiAnalyzer 7.4.0 <= 7.4.1

FortiAnalyzer 7.2.0 <= 7.2.3

FortiAnalyzer 7.0.0 <= 7.0.9

References

https://fortiguard.com/psirt/FG-IR-23-304

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.