CVE-2024-48885

Summary

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0 all versions, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to escalate privilege via specially crafted packets.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiRecorder7.2.0 <= 7.2.1affected
FortinetFortiRecorder7.0.0 <= 7.0.4affected
FortinetFortiWeb7.6.0affected
FortinetFortiWeb7.4.0 <= 7.4.4affected
FortinetFortiWeb7.2.0 <= 7.2.12affected
FortinetFortiWeb7.0.0 <= 7.0.12affected
FortinetFortiWeb6.4.0 <= 6.4.3affected
FortinetFortiVoice7.0.0 <= 7.0.4affected
FortinetFortiVoice6.4.0 <= 6.4.9affected
FortinetFortiVoice6.0.0 <= 6.0.12affected

Weaknesses

  • CWE-22: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References