CVE-2023-26206

Published Feb 15, 2024

Last updated a year ago

CVSS medium 6.1

Overview

Description: An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC 9.4.0 - 9.4.2, 9.2.0 - 9.2.8, 9.1.0 - 9.1.10 and 7.2.0 allows an attacker to execute unauthorized code or commands via the name fields observed in the policy audit logs.
Source: psirt@fortinet.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

psirt@fortinet.com: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "72F09A9E-3804-43BE-95B8-67418FEF269E",
            "versionEndIncluding": "9.1.10",
            "versionStartIncluding": "9.1.0"
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "225F8F74-D68C-444E-87E9-BC8AED05BB42",
            "versionEndIncluding": "9.2.8",
            "versionStartIncluding": "9.2.0"
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "029D7D58-6515-42D5-8E9A-73845CCE15A8",
            "versionEndIncluding": "9.4.2",
            "versionStartIncluding": "9.4.0"
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortinac:7.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFF5B4CF-5BF9-4852-BD4F-5A27FD17EDC2"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References