CVE-2024-36509

Summary

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiWeb7.6.0affected
FortinetFortiWeb7.4.0 <= 7.4.3affected
FortinetFortiWeb7.2.0 <= 7.2.10affected
FortinetFortiWeb7.0.0 <= 7.0.10affected
FortinetFortiWeb6.3.0 <= 6.3.23affected

Weaknesses

  • CWE-497: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References