Headline

CVE-2022-27488: Fortiguard

A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.

10 months ago

CVE

Open in Source

#xss #csrf #vulnerability #auth

FortiMail / FortiNDR / FortiRecorder / FortiSwitch / FortiVoice - Cross-site scripting forgery (CSRF) in HTTPd CLI console

Summary

A cross-site scripting forgery vulnerability [CWE-352] in FortiMail, FortiNDR, FortiRecorder, FortiSwitch & FortiVoiceEnterprise may allow a remote and unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.

Version

Affected

Solution

FortiMail 7.2

Not affected

Not Applicable

FortiMail 7.0

7.0.0 through 7.0.3

Upgrade to 7.0.4 or above

FortiMail 6.4

6.4.0 through 6.4.6

Upgrade to 6.4.7 or above

FortiMail 6.2

6.2 all versions

Migrate to a fixed release

FortiMail 6.0

6.0 all versions

Migrate to a fixed release

FortiNDR 7.2

Not affected

Not Applicable

FortiNDR 7.1

7.1.0

Upgrade to 7.1.1 or above

FortiNDR 7.0

7.0.0 through 7.0.4

Upgrade to 7.0.5 or above

FortiNDR 1.5

1.5 all versions

Migrate to a fixed release

FortiNDR 1.4

1.4 all versions

Migrate to a fixed release

FortiNDR 1.3

1.3 all versions

Migrate to a fixed release

FortiNDR 1.2

1.2 all versions

Migrate to a fixed release

FortiNDR 1.1

1.1 all versions

Migrate to a fixed release

FortiRecorder 7.0

Not affected

Not Applicable

FortiRecorder 6.4

6.4.0 through 6.4.2

Upgrade to 6.4.3 or above

FortiRecorder 6.0

6.0.0 through 6.0.11

Upgrade to 6.0.12 or above

FortiRecorder 2.7

2.7 all versions

Migrate to a fixed release

FortiRecorder 2.6

2.6 all versions

Migrate to a fixed release

FortiSwitch 7.2

Not affected

Not Applicable

FortiSwitch 7.0

7.0.0 through 7.0.4

Upgrade to 7.0.5 or above

FortiSwitch 6.4

6.4.0 through 6.4.10

Upgrade to 6.4.11 or above

FortiSwitch 6.2

6.2 all versions

Migrate to a fixed release

FortiSwitch 6.0

6.0 all versions

Migrate to a fixed release

FortiVoice 7.0

Not affected

Not Applicable

FortiVoice 6.4

6.4.0 through 6.4.7

Upgrade to 6.4.8 or above

FortiVoice 6.0

6.0.0 through 6.0.11

Upgrade to 6.0.12 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2023-12-11: Initial publication

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago