#VU89597 Authorization bypass through user-controlled key in FortiVoice


Vulnerability identifier: #VU89597

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-40720

CWE-ID: CWE-639

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FortiVoice
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A remote user can read the SIP configuration of other users via a crafted HTTP request.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FortiVoice: 6.0.0 - 7.0.1

External links
http://fortiguard.com/psirt/FG-IR-23-282

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Information disclosure in FortiVoice