CVE-2023-26207: SMTP password ciphertext exposure in Log
First published: Mon Jun 12 2023(Updated: )
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS / FortiProxy log events may allow a remote authenticated attacker to read certain passwords in ciphertext.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy | >=7.0.0<=7.0.10 | |
| Fortinet FortiProxy | =7.2.0 | |
| Fortinet FortiProxy | =7.2.1 | |
| Fortinet FortiOS | >=7.2.0<=7.2.4 | |
| Fortinet FortiOS | >=7.2.0<=7.2.5 | |
| Fortinet FortiOS | >=7.0.0<=7.0.15 | |
| Fortinet FortiOS | >=6.4 | |
| Fortinet FortiOS | >=6.2 | |
| Fortinet FortiOS | >=6.0 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.1 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.7 | |
| Fortinet FortiProxy | >=2.0.0<=2.0.12 |
Remedy
Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiProxy version 7.2.2 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-26207?
CVE-2023-26207 is an insertion of sensitive information into log file vulnerability in Fortinet FortiOS 7.2.0 through 7.2.4 and FortiProxy 7.0.0 through 7.0.10.
How does CVE-2023-26207 affect Fortinet FortiOS?
CVE-2023-26207 allows an attacker to read certain passwords in plain text on Fortinet FortiOS 7.2.0 through 7.2.4.
How does CVE-2023-26207 affect Fortinet FortiProxy?
CVE-2023-26207 allows an attacker to read certain passwords in plain text on Fortinet FortiProxy 7.0.0 through 7.0.10.
What is the severity of CVE-2023-26207?
The severity of CVE-2023-26207 is medium with a CVSS score of 6.5.
Is there a fix for CVE-2023-26207?
There is no fix available for CVE-2023-26207 at the moment. Please refer to the vendor's security advisory for updates.
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- agent/title
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-26207
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/tags
- collector/fortiguard-psirt
- agent/software-canonical-lookup
- vendor/fortinet
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.10
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.1
- canonical/fortinet fortios
- version/fortinet fortios/7.2.0
- version/fortinet fortios/7.2.4
- version/fortinet fortios/7.2.5
- version/fortinet fortios/7.0.0
- version/fortinet fortios/7.0.15
- version/fortinet fortios/6.4
- version/fortinet fortios/6.2
- version/fortinet fortios/6.0
- version/fortinet fortiproxy/7.0.7
- version/fortinet fortiproxy/2.0.0
- version/fortinet fortiproxy/2.0.12