FortiManager/FortiAnalyzer 6.0-7.2: API Priv Escalation via Stolen Session ID
CVE-2023-36638 Published on September 13, 2023
An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.
Vulnerability Analysis
CVE-2023-36638 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2023-36638 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2023-36638
stack.watch emails you whenever new vulnerabilities are published in Fortinet FortiManager or Fortinet Fortianalyzer. Just hit a watch button to start following.
Affected Versions
Fortinet FortiManager:- Version 7.2.0, <= 7.2.2 is affected.
- Version 7.0.0, <= 7.0.7 is affected.
- Version 6.4.0, <= 6.4.11 is affected.
- Version 6.2.0, <= 6.2.11 is affected.
- Version 6.0.0, <= 6.0.12 is affected.
- Version 7.2.0, <= 7.2.2 is affected.
- Version 7.0.0, <= 7.0.7 is affected.
- Version 6.4.0, <= 6.4.11 is affected.
- Version 6.2.0, <= 6.2.11 is affected.
- Version 6.0.0, <= 6.0.12 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.