Headline
CVE-2023-40715: Fortiguard
A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.
** PSIRT Advisories**
FortiTester - Password storage in cleartext in DB for external servers
Summary
A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.
Affected Products
FortiTester 7.2 all versions
FortiTester 7.1 all versions
FortiTester 7.0 all versions
FortiTester 4.2 all versions
FortiTester 4.1 all versions
FortiTester 4.0 all versions
FortiTester 3.9 all versions
FortiTester 3.8 all versions
FortiTester 3.7 all versions
FortiTester 3.6 all versions
FortiTester 3.5 all versions
FortiTester 3.4 all versions
FortiTester 3.3 all versions
FortiTester 3.2 all versions
FortiTester 3.1 all versions
FortiTester 3.0 all versions
FortiTester 2.9 all versions
FortiTester 2.8 all versions
FortiTester 2.7 all versions
FortiTester 2.6 all versions
FortiTester 2.5 all versions
FortiTester 2.4 all versions
FortiTester 2.3 all versions
Solutions
Please upgrade to FortiTester version 7.3.0 or above
Acknowledgement
Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.
Timeline
2023-09-01: Initial publication