CVE-2023-23777

2023-07-1109:15:09

CWE-78

[email protected]

web.nvd.nist.gov

804

fortiweb

cve-2023-23777

os command injection

cwe-78

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.3%

JSON

An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.18 and below may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters.

Affected configurations

NVD

Node

fortinetfortiwebRange6.3.6–6.3.18

fortinetfortiwebRange6.4.0–6.4.3

fortinetfortiwebMatch7.0.0

fortinetfortiwebMatch7.0.1

CPENameOperatorVersion
fortinet:fortiwebfortinet fortiweble6.3.18
fortinet:fortiwebfortinet fortiweble6.4.3
fortinet:fortiwebfortinet fortiwebeq7.0.0
fortinet:fortiwebfortinet fortiwebeq7.0.1

CPE	Name	Operator	Version
fortinet:fortiweb	fortinet fortiweb	le	6.3.18
fortinet:fortiweb	fortinet fortiweb	le	6.4.3
fortinet:fortiweb	fortinet fortiweb	eq	7.0.0
fortinet:fortiweb	fortinet fortiweb	eq	7.0.1

CNA Affected

[
  {
    "vendor": "Fortinet",
    "product": "FortiWeb",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.1",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.4.0",
        "lessThanOrEqual": "6.4.3",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "6.3.6",
        "lessThanOrEqual": "6.3.18",
        "status": "affected"
      }
    ]
  }
]