CVE-2024-23670

Name of the Vulnerable Software and Affected Versions: Fortinet FortiWebManager versions 6.0.2, 6.2.3 through 6.2.4, 6.3.0, 7.0.0 through 7.0.4, and 7.2.0

Description: The issue is related to an improper authorization in Fortinet FortiWebManager, which can allow an attacker to execute unauthorized code or commands via HTTP requests or CLI. This can be achieved by sending specially crafted HTTP requests. The vulnerability is associated with deficiencies in the authorization procedure, potentially enabling an attacker to read, modify, or delete data.

Recommendations: For Fortinet FortiWebManager version 6.0.2, update to a fixed version when available. For Fortinet FortiWebManager versions 6.2.3 through 6.2.4, update to a fixed version when available. For Fortinet FortiWebManager version 6.3.0, update to a fixed version when available. For Fortinet FortiWebManager versions 7.0.0 through 7.0.4, update to a fixed version when available. For Fortinet FortiWebManager version 7.2.0, update to a fixed version when available. As a temporary workaround, consider restricting access to the vulnerable FortiWebManager instances until a patch is available.