CVE-2024-23670 - Vulnerability Details - OpenCVE

An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortiwebmanager

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiwebmanager::::::::
	cpe:2.3:a:fortinet:fortiwebmanager::::::::
	cpe:2.3:a:fortinet:fortiwebmanager:6.0.2:::::::*
	cpe:2.3:a:fortinet:fortiwebmanager:6.3.0:::::::*
	cpe:2.3:a:fortinet:fortiwebmanager:7.2.0:::::::*

No data.

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-23-222

History

Tue, 17 Dec 2024 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortinet Fortinet fortiwebmanager
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:fortinet:fortiwebmanager:::::::: cpe:2.3:a:fortinet:fortiwebmanager:6.0.2:::::::* cpe:2.3:a:fortinet:fortiwebmanager:6.3.0:::::::* cpe:2.3:a:fortinet:fortiwebmanager:7.2.0:::::::*
Vendors & Products		Fortinet Fortinet fortiwebmanager

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2024-06-03T09:48:12.424Z

Updated: 2024-08-01T23:06:25.445Z

Reserved: 2024-01-19T08:23:28.613Z

Link: CVE-2024-23670

Vulnrichment

Updated: 2024-08-01T23:06:25.445Z

NVD

Status : Analyzed

Published: 2024-06-03T10:15:13.523

Modified: 2024-12-17T16:35:25.233

Link: CVE-2024-23670

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23670", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2024-01-19T08:23:28.613Z", "datePublished": "2024-06-03T09:48:12.424Z", "dateUpdated": "2024-08-01T23:06:25.445Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWebManager", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "status": "affected"}, {"version": "6.3.0", "status": "affected"}, {"versionType": "semver", "version": "6.2.3", "lessThanOrEqual": "6.2.4", "status": "affected"}, {"version": "6.0.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-06-03T09:48:12.424Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-285", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWebManager version 7.4.0 or above \nPlease upgrade to FortiWebManager version 7.2.1 or above \nPlease upgrade to FortiWebManager version 7.0.5 or above \nPlease upgrade to FortiWebManager version 6.3.1 or above \nPlease upgrade to FortiWebManager version 6.2.5 or above \n"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23670", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-03T16:51:43.637231Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.2.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.0.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.3.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.3.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.2.3:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.2.3", "versionType": "custom", "lessThanOrEqual": "6.2.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.0.2:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:45:45.944Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.445Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.445Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23670", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-03T16:51:43.637231Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.2.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.0.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.3.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.3.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.2.3:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.2.3", "versionType": "custom", "lessThanOrEqual": "6.2.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.0.2:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T16:51:34.236Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Fortinet", "product": "FortiWebManager", "versions": [{"status": "affected", "version": "7.2.0"}, {"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.4"}, {"status": "affected", "version": "6.3.0"}, {"status": "affected", "version": "6.2.3", "versionType": "semver", "lessThanOrEqual": "6.2.4"}, {"status": "affected", "version": "6.0.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWebManager version 7.4.0 or above \nPlease upgrade to FortiWebManager version 7.2.1 or above \nPlease upgrade to FortiWebManager version 7.0.5 or above \nPlease upgrade to FortiWebManager version 6.3.1 or above \nPlease upgrade to FortiWebManager version 6.2.5 or above \n"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}], "descriptions": [{"lang": "en", "value": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-06-03T09:48:12.424Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23670", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:06:25.445Z", "dateReserved": "2024-01-19T08:23:28.613Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2024-06-03T09:48:12.424Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiwebmanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C00F44FF-9533-4354-9060-A74E8F43E747", "versionEndExcluding": "6.2.5", "versionStartIncluding": "6.2.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiwebmanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "403F07C3-8D48-4403-B9EE-0076F8639CB1", "versionEndExcluding": "7.0.5", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiwebmanager:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "6AB742D6-5B08-4FF7-A366-F4CE1E91C9A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiwebmanager:6.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A921BEEB-D912-471E-8176-8804F5CD5118", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiwebmanager:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C7475A8-52EB-413E-A196-6F43137B545F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI."}, {"lang": "es", "value": "Una autorizaci\u00f3n inadecuada en Fortinet FortiWebManager versi\u00f3n 7.2.0 y 7.0.0 hasta 7.0.4 y 6.3.0 y 6.2.3 hasta 6.2.4 y 6.0.2 permite al atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes HTTP o CLI."}], "id": "CVE-2024-23670", "lastModified": "2024-12-17T16:35:25.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-03T10:15:13.523", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "psirt@fortinet.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}