Severity
Medium
Analysis Summary
CVE-2023-44247 CVSS: 6.6
Fortinet FortiOS could allow a remote attacker to execute arbitrary code or commands on the system, caused by a double free vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands or code on the system.
CVE-2024-31488 CVSS: 6.1
FortiNAC is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-26007 CVSS: 5.3
Fortinet FortiOS is vulnerable to a denial of service, caused by improper check or handling of exceptional conditions vulnerability. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-36640 CVSS: 6.7
Fortinet FortiProxy could allow a remote attacker to execute arbitrary code or commands on the system. This vulnerability is caused by an externally controlled format string. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands or code on the system.
CVE-2023-45586 CVSS: 4.3
Fortinet FortiOS could allow a remote attacker to conduct spoofing attacks, caused by an insufficient verification of data authenticity vulnerability in FortiOS SSL-VPN tunnel mode. By sending specially crafted packets with spoofing the IP, an attacker could exploit this vulnerability to spoof another user.
CVE-2023-46714 CVSS: 7.2
Fortinet FortiOS is vulnerable to a stack buffer overflow, caused by improper bounds checking. By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash.
CVE-2023-45583 CVSS: 6.7
Fortinet FortiProxy could allow a remote attacker to execute arbitrary code or commands on the system. This vulnerability is caused by an externally controlled format string. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands or code on the system.
CVE-2024-23105 CVSS: 7.5
Fortinet FortiPortal could allow a remote attacker to bypass security restrictions caused by the use of less trusted sources. By sending a specially crafted HTTPS packets, an attacker could exploit this vulnerability to bypass access IP protection.
Impact
- Denial of Service
- Code Execution
- Cross-Site Scripting
- Gain Access
- Buffer Overflow
- Security Bypass
Indicators of Compromise
CVE
- CVE-2023-44247
- CVE-2024-31488
- CVE-2024-26007
- CVE-2023-36640
- CVE-2023-45586
- CVE-2023-46714
- CVE-2023-45583
- CVE-2024-23105
Affected Vendors
Affected Products
- Fortinet FortiOS 7.2.0
- Fortinet FortiProxy 7.0.0
- Fortinet FortiOS 6.4.0
- Fortinet FortiOS 6.2
- Fortinet FortiOS 6.0
- Fortinet FortiProxy 7.2.0
- Fortinet FortiNAC 8.7
- Fortinet FortiNAC 8.8
- Fortinet FortiNAC 9.1
- Fortinet FortiNAC 9.2
- Fortinet FortiNAC 7.2.0
- Fortinet FortiOS 6.4
- Fortinet FortiOS 7.4.0
- Fortinet FortiOS 7.2.5
- Fortinet FortiOS 7.0.12
- Fortinet FortiPAM 1.1.0
- Fortinet FortiPortal 7.0.6
- Fortinet FortiOS 7.4.1
- Fortinet FortiProxy 7.4.0
- Fortinet FortiProxy 7.4.1
- Fortinet FortiOS 7.2.6
- Fortinet FortiOS 7.2.7
- Fortinet FortiProxy 7.2.7
- Fortinet FortiPAM 1.0
- Fortinet FortiPAM 1.0.0
- Fortinet FortiPAM 1.1
- Fortinet FortiNAC 9.4.4
- Fortinet FortiPortal 7.2.1
Remediation
Refer to FortiGuard Advisory for patch, upgrade or suggested workaround information.