QID 379129

CVE-2023-44249: An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiManager and FortiAnalyzer may allow a remote attacker with low privileges to read sensitive information via crafted HTTP requests.

CVE-2023-42787: A client-side enforcement of server-side security [CWE-602] vulnerability in FortiManager and FortiAnalyzer allow a remote attacker with low privileges to access a privileged web console via client side code execution.

CVE-2023-42782: A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer, FortiAnalyzer-BigData and FortiManager with FortiAnalyzer features may allow a remote unauthenticated attacker to send messages to the syslog server of FortiAnalyzer via the knoweldge of an authorized device serial number.

Affected Products:
FortiManager 7.4.0
FortiManager 7.2.0 through 7.2.3
FortiManager 7.0.0 through 7.0.9
FortiManager 6.4 all versions
FortiManager 6.2 all versions
FortiAnalyzer 7.4.0
FortiAnalyzer 7.2.0 through 7.2.3
FortiAnalyzer 7.0.0 through 7.0.9
FortiAnalyzer 6.4 all versions
FortiAnalyzer 6.2 all versions

Note: This QID addresses FortiAnalyzer and Fortimanager only.

QID Detection Logic (Authenticated):
Detection checks for vulnerable versions of FortiManager and FortiAnalyzer.

Successful exploitation of this vulnerability may allow remote attacker with low privileges to read sensitive information and access a privileged web console.