Description
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
E
Physical
RL
X
RC
Changed
Affected products
- fortinet / fortisoar7.4.3 – 7.4.3
- fortinet / fortisoar7.4.2 – 7.4.2
- fortinet / fortisoar7.4.1 – 7.4.1
- fortinet / fortisoar7.4.0 – 7.4.0
- fortinet / fortisoar7.3.2 – 7.3.2
- fortinet / fortisoar7.3.1 – 7.3.1
- fortinet / fortisoar7.3.0 – 7.3.0
- fortinet / fortisoar7.2.2 – 7.2.2
- fortinet / fortisoar7.2.1 – 7.2.1
- fortinet / fortisoar7.2.0 – 7.2.0
- fortinet / fortisoar7.0.3 – 7.0.3
- fortinet / fortisoar7.0.2 – 7.0.2
- fortinet / fortisoar7.0.1 – 7.0.1
- fortinet / fortisoar7.0.0 – 7.0.0
References
- VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-24-048