CVE-2023-28001

2023-07-1116:52:46

CWE-613

fortinet

www.cve.org

fortinet

fortios

session expiration

unauthorized code execution

rest api

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.2%

JSON

An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiOS",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.4",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.12",
        "status": "affected"
      }
    ]
  }
]