CVE-2023-44254

Summary

An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiAnalyzer7.4.0affected
FortinetFortiAnalyzer7.2.0 <= 7.2.4affected
FortinetFortiAnalyzer7.0.0 <= 7.0.12affected
FortinetFortiAnalyzer6.4.0 <= 6.4.14affected
FortinetFortiAnalyzer6.2.0 <= 6.2.12affected
FortinetFortiManager7.4.0affected
FortinetFortiManager7.2.0 <= 7.2.4affected
FortinetFortiManager7.0.0 <= 7.0.12affected
FortinetFortiManager6.4.0 <= 6.4.14affected
FortinetFortiManager6.2.0 <= 6.2.12affected

Weaknesses

  • CWE-639: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References