CVE-2023-27998 - Vulnerability Details - OpenCVE

A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Fortinet	Fortipresence

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortipresence:1.0.0:::::::*
	cpe:2.3:a:fortinet:fortipresence:1.1.0:::::::*
	cpe:2.3:a:fortinet:fortipresence:1.1.1:::::::*
	cpe:2.3:a:fortinet:fortipresence:1.2.0:::::::*
	cpe:2.3:a:fortinet:fortipresence:1.2.1:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-22-288

History

Wed, 25 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:fortinet:fortipresence::::::::
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2023-09-13T12:29:15.591Z

Updated: 2024-09-25T17:26:14.202Z

Reserved: 2023-03-09T10:09:33.120Z

Link: CVE-2023-27998

Vulnrichment

Updated: 2024-08-02T12:23:30.828Z

NVD

Status : Modified

Published: 2023-09-13T13:15:08.200

Modified: 2024-11-21T07:53:54.130

Link: CVE-2023-27998

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27998", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2023-03-09T10:09:33.120Z", "datePublished": "2023-09-13T12:29:15.591Z", "dateUpdated": "2024-09-25T17:26:14.202Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiPresence", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "1.2.0", "lessThanOrEqual": "1.2.1", "status": "affected"}, {"versionType": "semver", "version": "1.1.0", "lessThanOrEqual": "1.1.1", "status": "affected"}, {"version": "1.0.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-09-13T12:29:15.591Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-756", "description": "Information disclosure", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPresence version 2.0.0 or above\r\n\u00a0"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-288", "url": "https://fortiguard.com/psirt/FG-IR-22-288"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:23:30.828Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-22-288", "url": "https://fortiguard.com/psirt/FG-IR-22-288", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "fortinet", "product": "fortipresence", "cpes": ["cpe:2.3:a:fortinet:fortipresence:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0.0", "status": "affected"}, {"version": "1.1.0", "status": "affected"}, {"version": "1.2.0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T17:24:33.642111Z", "id": "CVE-2023-27998", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T17:26:14.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-288", "name": "https://fortiguard.com/psirt/FG-IR-22-288", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:23:30.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-27998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T17:24:33.642111Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortipresence:*:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortipresence", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.1.0"}, {"status": "affected", "version": "1.2.0", "versionType": "custom", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T17:26:07.782Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Fortinet", "product": "FortiPresence", "versions": [{"status": "affected", "version": "1.2.0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}, {"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "1.1.1"}, {"status": "affected", "version": "1.0.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPresence version 2.0.0 or above\r\n\u00a0"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-22-288", "name": "https://fortiguard.com/psirt/FG-IR-22-288"}], "descriptions": [{"lang": "en", "value": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-756", "description": "Information disclosure"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2023-09-13T12:29:15.591Z"}}}, "cveMetadata": {"cveId": "CVE-2023-27998", "state": "PUBLISHED", "dateUpdated": "2024-09-25T17:26:14.202Z", "dateReserved": "2023-03-09T10:09:33.120Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2023-09-13T12:29:15.591Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortipresence:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "889484EB-8EDC-4FB5-A0F9-1E719C9099D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortipresence:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF2B518A-EA40-4D65-9E9A-69D39A8AC01F", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortipresence:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C2BEFF20-BAFA-4169-8F6A-D472C45EB2EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortipresence:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "14BC839F-E70C-4676-B523-BAD563C8E6E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortipresence:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "1E5C2455-84E1-4403-A4B5-B57CDA302BBD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths."}, {"lang": "es", "value": "Una vulnerabilidad de falta de p\u00e1ginas de error personalizadas [CWE-756] en las versiones 1.2.0 a 1.2.1 de FortiPresence y todas las versiones 1.1 y 1.0 puede permitir que un atacante no autenticado con la capacidad de navegar hasta la GUI de inicio de sesi\u00f3n obtenga informaci\u00f3n sensible navegando a rutas HTTP(s) espec\u00edficas."}], "id": "CVE-2023-27998", "lastModified": "2024-11-21T07:53:54.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-13T13:15:08.200", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-288"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-22-288"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-756"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}