CVE-2023-36639

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiPAM versions 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted API requests.

Published: Dec 13, 2023
Updated: Dec 16, 2023
CVE: CVE-2023-36639
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-134

Affected Software
References

Software	From	Fixed in
fortinet / fortios	7.2.0	7.2.4.x
fortinet / fortios	6.2.0	6.2.15.x
fortinet / fortios	6.4.0	6.4.12.x
fortinet / fortios	7.0.0	7.0.11.x
fortinet / fortios	6.0.0	6.0.17.x
fortinet / fortiproxy	7.0.0	7.0.10.x
fortinet / fortios	7.4.0	7.4.0.x
fortinet / fortiproxy	7.2.0	7.2.4.x
fortinet / fortipam	1.1.0	1.1.0.x
fortinet / fortipam	1.0.0	1.0.3.x

https://fortiguard.com/psirt/FG-IR-23-138

Vulnerability Database

289,784

CVE-2023-36639