CVE-2023-44253 : An exposure of sensitive information to an unauthorized actor vulnerability [CWE

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiManager version 7.4.0 through 7.4.1 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.1 and before 7.2.5 and FortiAnalyzer-BigData before 7.2.5 allows an adom administrator to enumerate other adoms and device names via crafted HTTP or HTTPS requests.

Published 2024-02-15 14:15:45

Updated 2024-03-11 22:15:54

Source Fortinet, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2023-44253

Fortinet » Fortimanager
Versions from including (>=) 6.2.0 and up to, including, (<=) 6.2.12
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortimanager
Versions from including (>=) 7.0.0 and up to, including, (<=) 7.0.11
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortimanager
Versions from including (>=) 7.2.0 and up to, including, (<=) 7.2.3
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortimanager
Versions from including (>=) 6.4.0 and up to, including, (<=) 6.4.14
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortimanager » Version: 7.4.0
cpe:2.3:a:fortinet:fortimanager:7.4.0:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortimanager » Version: 7.4.1
cpe:2.3:a:fortinet:fortimanager:7.4.1:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer
Versions from including (>=) 6.2.0 and up to, including, (<=) 6.2.12
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer
Versions from including (>=) 6.4.0 and up to, including, (<=) 6.4.14
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer
Versions from including (>=) 7.2.0 and up to, including, (<=) 7.2.3
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer
Versions from including (>=) 7.0.0 and up to, including, (<=) 7.0.11
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer » Version: 7.4.0
cpe:2.3:a:fortinet:fortianalyzer:7.4.0:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortianalyzer » Version: 7.4.1
cpe:2.3:a:fortinet:fortianalyzer:7.4.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-44253

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-44253

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	3.1	1.4	NIST	2024-02-20
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None
5.0	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	3.1	1.4	Fortinet, Inc.	2024-02-15
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-44253

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: psirt@fortinet.com (Secondary)

References for CVE-2023-44253

https://fortiguard.com/psirt/FG-IR-23-268

PSIRT | FortiGuard
Vendor Advisory
https://github.com/orangecertcc/security-research/security/advisories/GHSA-25j8-69h7-83h2

FortiManager - Device name enumeration (CVE-2023-44253) · Advisory · orangecertcc/security-research · GitHub

Jump to

Vulnerability Details : CVE-2023-44253

Products affected by CVE-2023-44253

Exploit prediction scoring system (EPSS) score for CVE-2023-44253

CVSS scores for CVE-2023-44253

CWE ids for CVE-2023-44253

References for CVE-2023-44253