CVE-2023-36638

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.

Published: Sep 13, 2023
Updated: Sep 20, 2023
CVE: CVE-2023-36638
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
fortinet / fortimanager	6.4.0	6.4.12
fortinet / fortianalyzer	7.2.0	7.2.3
fortinet / fortianalyzer	7.0.0	7.0.8
fortinet / fortianalyzer	6.0.0	6.4.12
fortinet / fortimanager	7.2.0	7.2.3
fortinet / fortimanager	7.0.0	7.0.8

https://fortiguard.com/psirt/FG-IR-22-522

Vulnerability Database

289,784

CVE-2023-36638