Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-26110: Fortiguard

An improper access control vulnerability [CWE-284] in FortiOS autod daemon 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and below and FortiProxy 2.0.1 and below, 1.2.9 and below may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script and auto-script features.

CVE
Open in Source
#vulnerability#ios

PSIRT Advisories

FortiOS and FortiProxy - Privilege escalation vulnerability using the automation script feature

Summary

An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy autod daemon may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script and auto-script features.

Affected Products

FortiOS version 7.0.0
FortiOS versions 6.4.6 and below.
FortiOS versions 6.2.9 and below.
FortiOS versions 6.0.12 and below.
FortiOS versions 5.6.x
FortiProxy versions 2.0.1 and below.
FortiProxy versions 1.2.9 and below.
FortiProxy versions 1.1.x
FortiProxy versions 1.0.x

Solutions

Please upgrade to FortiOS version 7.0.1 or above.
Please upgrade to FortiOS version 6.4.7 or above.
Please upgrade to FortiOS version 6.2.10 or above.
Please upgrade to FortiOS version 6.0.13 or above.

For new high-end F-Series Models (FG-1800F, FG-3800F, FG-4200F, FG-4400F) please upgrade to 6.2.9

Please upgrade to FortiProxy version 2.0.2 or above.
Please upgrade to FortiProxy version 1.2.10 or above.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE