CVE-2024-23666

Summary

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14 allows attacker to improper access control via crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.4.0 <= 7.4.1affected
FortinetFortiManager7.2.0 <= 7.2.4affected
FortinetFortiManager7.0.0 <= 7.0.11affected
FortinetFortiManager6.4.0 <= 6.4.14affected
FortinetFortiAnalyzer7.4.0 <= 7.4.1affected
FortinetFortiAnalyzer7.2.0 <= 7.2.4affected
FortinetFortiAnalyzer7.0.0 <= 7.0.11affected
FortinetFortiAnalyzer6.4.0 <= 6.4.14affected

Weaknesses

  • CWE-602: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References