Potential Exposure of Sensitive Information Through Crafted HTTP or HTTPS Requests
CVE-2023-44255

3.9LOW

Key Information:

Vendor: Fortinet
Status: Fortimanager; Fortianalyzer
Vendor: CVE Published:; 12 November 2024

Summary

In Fortinet FortiManager prior to version 7.4.2, FortiAnalyzer prior to version 7.4.2, and FortiAnalyzer-BigData prior to version 7.2.5, an exposure of sensitive information allows a privileged attacker with administrative read permissions to potentially access event logs pertaining to another Administrative Domain (ADOM) through specially crafted HTTP or HTTPS requests. This flaw highlights the importance of securing event log access and ensuring that sensitive information remains isolated within configured administrative boundaries.

Affected Version(s)

FortiAnalyzer 7.4.0 <= 7.4.2

FortiAnalyzer 7.2.0 <= 7.2.3

FortiAnalyzer 7.0.0 <= 7.0.13

References

https://fortiguard.fortinet.com/psirt/FG-IR-23-267

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 12, 2024
Vulnerability Reserved
Sep 27, 2023