Headline

CVE-2023-34992: Fortiguard

A improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.

1 year ago

CVE

Open in Source

#vulnerability #auth

** PSIRT Advisories**

FortiSIEM - Remote unauthenticated os command injection

Summary

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.

Affected Products

FortiSIEM version 7.0.0
FortiSIEM version 6.7.0 through 6.7.5
FortiSIEM version 6.6.0 through 6.6.3
FortiSIEM version 6.5.0 through 6.5.1
FortiSIEM version 6.4.0 through 6.4.2

Solutions

Please upgrade to FortiSIEM version 7.0.1 or above
Please upgrade to FortiSIEM version 6.7.6 or above
Please upgrade to FortiSIEM upcoming version 6.6.4 or above
Please upgrade to FortiSIEM upcoming version 6.5.2 or above
Please upgrade to FortiSIEM upcoming version 6.4.3 or above

Acknowledgement

Fortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.

Timeline

2023-10-02: Initial publication

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an

9 months ago

The Hacker News

Open in Source

#xss #csrf #vulnerability #web #cisco #dos #vmware #auth #The Hacker News

CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild. The vulnerabilities are as follows - CVE-2023-36584 (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2023-1671 (CVSS score: 9.8) -

12 months ago

The Hacker News

Open in Source

#vulnerability #web #windows #microsoft #oracle #rce #auth #The Hacker News