CVE-2023-48788

2024-03-1215:15:46

CWE-89

fortinet

web.nvd.nist.gov

195

In Wild

fortinet

forticlientems

cve-2023-48788

sql injection

unauthorized code execution

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.711

Percentile

98.1%

JSON

A improper neutralization of special elements used in an sql command (‘sql injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Affected configurations

Nvd

Node

fortinetforticlient_enterprise_management_serverRange7.0.1–7.0.10

fortinetforticlient_enterprise_management_serverRange7.2.0–7.2.2

VendorProductVersionCPE
fortinetforticlient_enterprise_management_server*cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fortinet	forticlient_enterprise_management_server	*	cpe:2.3:a:fortinet:forticlient_enterprise_management_server::::::::

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiClientEMS",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.2",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.1",
        "lessThanOrEqual": "7.0.10",
        "status": "affected"
      }
    ]
  }
]