CVE-2024-23666

Name of the Vulnerable Software and Affected Versions FortiAnalyzer-BigData versions 6.2.5, 6.4.5 through 6.4.7, 7.0.1 through 7.0.6, 7.2.0 through 7.2.6, 7.4.0 FortiManager versions 6.4.0 through 6.4.14, 7.0.0 through 7.0.11, 7.2.0 through 7.2.4, 7.4.0 through 7.4.1 FortiAnalyzer versions 6.4.0 through 6.4.14, 7.0.0 through 7.0.11, 7.2.0 through 7.2.4, 7.4.0 through 7.4.1

Description The issue is related to a client-side enforcement of server-side security, allowing an attacker to gain improper access control via crafted requests. This can potentially enable a remote attacker to elevate their privileges by sending specially formed requests.

Recommendations For FortiAnalyzer-BigData versions 6.2.5, 6.4.5 through 6.4.7, 7.0.1 through 7.0.6, 7.2.0 through 7.2.6, 7.4.0, consider disabling the client-side enforcement of server-side security until a patch is available. For FortiManager versions 6.4.0 through 6.4.14, 7.0.0 through 7.0.11, 7.2.0 through 7.2.4, 7.4.0 through 7.4.1, restrict access to the affected modules to minimize the risk of exploitation. For FortiAnalyzer versions 6.4.0 through 6.4.14, 7.0.0 through 7.0.11, 7.2.0 through 7.2.4, 7.4.0 through 7.4.1, avoid using the vulnerable functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.