Brute Force Attack Through Change Password Endpoint
CVE-2024-45327

7.1HIGH

Key Information:

Vendor: Fortinet
Status: Fortisoar
Vendor: CVE Published:; 11 September 2024

Summary

FortiSOAR, a security orchestration tool by Fortinet, contains an improper authorization vulnerability that may be exploited by authenticated attackers. This flaw exists within the change password endpoint across multiple versions, including 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, and 7.0.0 through 7.0.3. Attackers can leverage this vulnerability to conduct brute force password attacks through specially crafted HTTP requests, posing significant risks to user and administrator credentials.

Affected Version(s)

FortiSOAR 7.4.0 <= 7.4.3

FortiSOAR 7.3.0 <= 7.3.2

FortiSOAR 7.2.0 <= 7.2.2

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-048

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2024
Vulnerability Reserved
Aug 27, 2024