CVE-2022-39954

Name of the Vulnerable Software and Affected Versions FortiNAC versions 8.3.7 through 8.5.4 FortiNAC versions 8.6.0 through 8.6.5 FortiNAC versions 8.7.0 through 8.7.6 FortiNAC versions 8.8.0 through 8.8.11 FortiNAC versions 9.1.0 through 9.1.8 FortiNAC versions 9.2.0 through 9.2.7 FortiNAC versions 9.4.0 through 9.4.1

Description The issue is related to an improper restriction of XML external entity references, allowing an attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents. This can enable a remote attacker to gain unauthorized access to protected information or cause a denial of service.

Recommendations For FortiNAC versions 8.3.7 through 8.5.4, update to a version that includes the fix for this issue. For FortiNAC versions 8.6.0 through 8.6.5, update to a version that includes the fix for this issue. For FortiNAC versions 8.7.0 through 8.7.6, update to a version that includes the fix for this issue. For FortiNAC versions 8.8.0 through 8.8.11, update to a version that includes the fix for this issue. For FortiNAC versions 9.1.0 through 9.1.8, update to a version that includes the fix for this issue. For FortiNAC versions 9.2.0 through 9.2.7, update to a version that includes the fix for this issue. For FortiNAC versions 9.4.0 through 9.4.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the processing of XML documents to minimize the risk of exploitation.