CVE-2022-23447

Name of the Vulnerable Software and Affected Versions FortiExtender versions 3.2.1 through 3.2.3 FortiExtender versions 3.3.0 through 3.3.2 FortiExtender versions 4.0.0 through 4.0.2 FortiExtender versions 4.1.1 through 4.1.8 FortiExtender versions 4.2.0 through 4.2.4 FortiExtender versions 5.3 FortiExtender versions 7.0.0 through 7.0.3

Description The issue is related to an improper limitation of a pathname to a restricted directory, also known as a 'Path Traversal' vulnerability. This vulnerability may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

Recommendations For FortiExtender versions 3.2.1 through 3.2.3, consider disabling access to the management interface until a patch is available. For FortiExtender versions 3.3.0 through 3.3.2, restrict access to the management interface to minimize the risk of exploitation. For FortiExtender versions 4.0.0 through 4.0.2, avoid using specially crafted web requests to the management interface until the issue is resolved. For FortiExtender versions 4.1.1 through 4.1.8, consider implementing additional security measures to prevent remote attackers from retrieving arbitrary files. For FortiExtender versions 4.2.0 through 4.2.4, restrict access to the underlying filesystem to prevent exploitation. For FortiExtender versions 5.3, consider disabling the management interface until a patch is available. For FortiExtender versions 7.0.0 through 7.0.3, restrict access to the management interface to minimize the risk of exploitation.