#VU84528 Improper Authorization in FortiADC - CVE-2023-41673

Cybersecurity Help s.r.o.

Published: 2023-12-18

Vulnerability identifier: #VU84528

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-41673

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FortiADC
Server applications / Other server solutions

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper authorization. A remote read-only administrator can read or backup the full system configuration via HTTP or HTTPS requests.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FortiADC: 6.0.0 - 6.0.4, 6.1.0 - 6.1.6, 6.2.0 - 6.2.6, 7.0.0 - 7.0.5, 7.1.0 - 7.1.4, 7.2.0 - 7.2.2, 7.4.0

External links
https://fortiguard.com/psirt/FG-IR-23-270

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing authorization in FortiADC