Headline
CVE-2023-42787: Fortiguard
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 may allow a remote attacker with low privileges to access a privileged web console via client side code execution.
** PSIRT Advisories**
FortiManager / FortiAnalyzer - Unprivileged user can access web console and run some unauthorized commands
Summary
A client-side enforcement of server-side security [CWE-602] vulnerability in FortiManager and FortiAnalyzer may allow a remote attacker with low privileges to access a privileged web console via client side code execution.
Major Version
Affected Products
Solutions
FortiManager 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiManager 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiManager 7.0
7.0 all versions
Migrate to a fixed release
FortiManager 6.4
6.4 all versions
Migrate to a fixed release
FortiManager 6.2
6.2 all versions
Migrate to a fixed release
FortiAnalyzer 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiAnalyzer 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiAnalyzer 7.0
7.0 all versions
Migrate to a fixed release
FortiAnalyzer 6.4
6.4 all versions
Migrate to a fixed release
FortiAnalyzer 6.2
6.2 all versions
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank security researchers Mickael Dorigny at Orange Cyberdéfense, Hélène Saliou, Frédéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-10-10: Initial publication