First published: Tue Nov 12 2024(Updated: )
An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.
Credit: psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiWeb | >=6.3.0<7.4.4 | |
Fortinet FortiWeb | =7.6.0 |
Please upgrade to FortiWeb version 7.6.1 or above Please upgrade to FortiWeb version 7.4.4 or above
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-36509 has a medium severity rating due to the risk of unauthorized access to sensitive system information.
To fix CVE-2024-36509, upgrade FortiWeb to version 7.4.4 or later, or to other secure versions as specified in the advisory.
CVE-2024-36509 affects FortiWeb versions 7.6.0, 7.4.3 and below, 7.2.10 and below, 7.0.10 and below, and 6.3.23 and below.
CVE-2024-36509 exposes encrypted passwords and sensitive system information to authenticated attackers.
Yes, an authenticated attacker can exploit CVE-2024-36509 to access sensitive information.