{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23670", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2024-01-19T08:23:28.613Z", "datePublished": "2024-06-03T09:48:12.424Z", "dateUpdated": "2024-06-04T17:45:45.944Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWebManager", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "status": "affected"}, {"version": "6.3.0", "status": "affected"}, {"versionType": "semver", "version": "6.2.3", "lessThanOrEqual": "6.2.4", "status": "affected"}, {"version": "6.0.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-06-03T09:48:12.424Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-285", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiWebManager version 7.4.0 or above \nPlease upgrade to FortiWebManager version 7.2.1 or above \nPlease upgrade to FortiWebManager version 7.0.5 or above \nPlease upgrade to FortiWebManager version 6.3.1 or above \nPlease upgrade to FortiWebManager version 6.2.5 or above \n"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23670", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-03T16:51:43.637231Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.2.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:7.0.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.3.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.3.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.2.3:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.2.3", "versionType": "custom", "lessThanOrEqual": "6.2.4"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:fortinet:fortiweb_manager:6.0.2:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiweb_manager", "versions": [{"status": "affected", "version": "6.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:45:45.944Z"}}]}}

{"descriptions": [{"lang": "en", "value": "An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI."}], "id": "CVE-2024-23670", "lastModified": "2024-06-03T14:46:24.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2024-06-03T10:15:13.523", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-222"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}