CVE-2023-44254

Name of the Vulnerable Software and Affected Versions: FortiAnalyzer versions 7.2.5 through 7.4.1 FortiManager versions 7.2.5 through 7.4.1

Description: The issue is related to an authorization bypass through a user-controlled key, allowing a remote attacker with low privileges to read sensitive data via a crafted HTTP request. This can be achieved by exploiting the vulnerability with a specially designed HTTP request.

Recommendations: For FortiAnalyzer versions 7.2.5 through 7.4.1, consider disabling access to sensitive data until a patch is available. For FortiManager versions 7.2.5 through 7.4.1, restrict access to the affected module to minimize the risk of exploitation. As a temporary workaround, avoid using user-controlled keys in the affected API endpoints until the issue is resolved.