First published: Wed Sep 13 2023(Updated: )
An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.
Credit: psirt@fortinet.com psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiAnalyzer | >=6.0.0<6.4.12 | |
Fortinet FortiAnalyzer | >=7.0.0<7.0.8 | |
Fortinet FortiAnalyzer | >=7.2.0<7.2.3 | |
Fortinet FortiManager | >=6.4.0<6.4.12 | |
Fortinet FortiManager | >=7.0.0<7.0.8 | |
Fortinet FortiManager | >=7.2.0<7.2.3 | |
Fortinet FortiAnalyzer | >=7.2.0<=7.2.2 | |
Fortinet FortiAnalyzer | >=7.0.0<=7.0.7 | |
Fortinet FortiAnalyzer | >=6.4.0<=6.4.11 | |
Fortinet FortiAnalyzer | >=6.2 | |
Fortinet FortiAnalyzer | >=6.0 | |
Fortinet FortiManager | >=7.2.0<=7.2.2 | |
Fortinet FortiManager | >=7.0.0<=7.0.7 | |
Fortinet FortiManager | >=6.4.0<=6.4.11 | |
Fortinet FortiManager | >=6.2 | |
Fortinet FortiManager | >=6.0 |
Please upgrade to FortiManager version 7.4.0 or above Please upgrade to FortiManager version 7.2.3 or above Please upgrade to FortiManager version 7.0.8 or above Please upgrade to FortiManager version 6.4.12 or above Please upgrade to FortiAnalyzer version 7.4.0 or above Please upgrade to FortiAnalyzer version 7.2.3 or above Please upgrade to FortiAnalyzer version 7.0.8 or above Please upgrade to FortiAnalyzer version 6.4.12 or above
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this FortiManager and FortiAnalyzer vulnerability is CVE-2023-36638.
The severity rating of vulnerability CVE-2023-36638 is 4.3 (medium).
FortiManager versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, and 6.0 all versions, and FortiAnalyzer versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, and 6.0 all versions are affected by vulnerability CVE-2023-36638.
The CWE-ID associated with vulnerability CVE-2023-36638 is CWE-269 (Improper Privilege Management).
To fix vulnerability CVE-2023-36638 in FortiManager and FortiAnalyzer, it is recommended to update to the latest patched version provided by Fortinet.