CVE-2023-25606

Summary

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4  all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.2.0 <= 7.2.1affected
FortinetFortiManager7.0.0 <= 7.0.5affected
FortinetFortiManager6.4.0 <= 6.4.10affected
FortinetFortiAnalyzer7.2.0 <= 7.2.1affected
FortinetFortiAnalyzer7.0.0 <= 7.0.5affected
FortinetFortiAnalyzer6.4.0 <= 6.4.10affected

Weaknesses

  • CWE-22: Information disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References