CVE-2023-36638

Name of the Vulnerable Software and Affected Versions FortiManager versions 6.0 through 7.2.2 FortiAnalyzer versions 6.0 through 7.2.2

Description The issue is related to improper privilege management, which may allow a remote and authenticated API admin user to access certain system settings, such as mail server settings, through the API via a stolen GUI session ID. This could potentially lead to unauthorized access to protected information and elevated privileges.

Recommendations For FortiManager versions 6.0 through 7.2.2, consider restricting access to the API and system settings to minimize the risk of exploitation. For FortiAnalyzer versions 6.0 through 7.2.2, consider restricting access to the API and system settings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.