CVE-2023-25603 : A permissive cross-domain policy with untrusted domains vulnerability in Fortine

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out privileged actions and retrieve sensitive information via crafted web requests.

Published 2023-11-14 19:15:20

Updated 2023-11-20 20:52:25

Source Fortinet, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-25603

Fortinet » Fortiadc » Version: 7.1.0
cpe:2.3:a:fortinet:fortiadc:7.1.0:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortiadc » Version: 7.1.1
cpe:2.3:a:fortinet:fortiadc:7.1.1:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortiddos-f
Versions from including (>=) 6.3.0 and up to, including, (<=) 6.3.4
cpe:2.3:a:fortinet:fortiddos-f:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortiddos-f » Version: 6.4.0
cpe:2.3:a:fortinet:fortiddos-f:6.4.0:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortiddos-f » Version: 6.4.1
cpe:2.3:a:fortinet:fortiddos-f:6.4.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-25603

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-25603

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	3.9	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	Fortinet, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-25603

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

Assigned by: psirt@fortinet.com (Secondary)

References for CVE-2023-25603

https://fortiguard.com/psirt/FG-IR-22-518

FortiGuard
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-25603

Products affected by CVE-2023-25603

Exploit prediction scoring system (EPSS) score for CVE-2023-25603

CVSS scores for CVE-2023-25603

CWE ids for CVE-2023-25603

References for CVE-2023-25603