Fortinet FortiAnalyzer/Manager Privilege Escalation via CWE-602 (CVE-2024-23666)

Key Information Vulnerability Description Title: Readonly users could run some sensitive operations Summary: A client-side executed server-side security vulnerability [CWE-602] in FortiAnalyzer may allow an authenticated attacker with at least read-only permissions to perform sensitive operations by crafting malicious requests. Affected Ranges Affected Versions: - FortiAnalyzer 7.4: 7.4.0 through 7.4.2 - FortiAnalyzer 7.2: 7.2.0 through 7.2.5 - FortiAnalyzer 7.0: 7.0.0 through 7.0.12 - FortiAnalyzer 6.4: 6.4.0 through 6.4.14 - FortiAnalyzer-BigData 7.4: 7.4.0 - FortiAnalyzer-BigData 7.2: 7.2.0 through 7.2.6 - FortiAnalyzer-BigData 7.0: 7.0 all versions - FortiAnalyzer-BigData 6.4: 6.4 all versions - FortiAnalyzer-BigData 6.2: 6.2 all versions - FortiManager 7.4: 7.4.0 through 7.4.2 - FortiManager 7.2: 7.2.0 through 7.2.5 - FortiManager 7.0: 7.0.0 through 7.0.12 - FortiManager 6.4: 6.4.0 through 6.4.14 Solution Upgrade to: - FortiAnalyzer 7.4: 7.4.3 or later - FortiAnalyzer 7.2: 7.2.6 or later - FortiAnalyzer 7.0: 7.0.13 or later - FortiAnalyzer 6.4: 6.4.15 or later - FortiAnalyzer-BigData 7.4: 7.4.1 or later - FortiAnalyzer-BigData 7.2: 7.2.7 or later - FortiAnalyzer-BigData 7.0: 7.0 all versions - FortiAnalyzer-BigData 6.4: 6.4 all versions - FortiAnalyzer-BigData 6.2: 6.2 all versions - FortiManager 7.4: 7.4.3 or later - FortiManager 7.2: 7.2.6 or later - FortiManager 7.0: 7.0.13 or later - FortiManager 6.4: 6.4.15 or later Identification and Reporting Identifiers: Paul BARBE, Antoine CARRINCAZEAX, Clément AMIC Identifying Organization: Synacktiv (https://www.synacktiv.com) Identification Date: 2024-11-12 Security Rating Severity: High CVSSv3 Score: 7.1 Impact: Improper Access Control Additional Information CVE ID: CVE-2024-23666 CVRF: Download Conclusion This vulnerability allows users with read-only permissions to perform sensitive operations, affecting multiple versions of FortiAnalyzer and FortiManager. Affected users are advised to upgrade to the specified patched versions as soon as possible to mitigate this risk.

Goal Reached Thanks to every supporter — we hit 100%!

Fortinet FortiAnalyzer/Manager Privilege Escalation via CWE-602 (CVE-2024-23666)