cvelist/2023/48xxx/CVE-2023-48791.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-48791",
        "ASSIGNER": "psirt@fortinet.com",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "Improper access control",
                        "cweId": "CWE-77"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Fortinet",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "FortiPortal",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "7.2.0"
                                        },
                                        {
                                            "version_affected": "<=",
                                            "version_name": "7.0.0",
                                            "version_value": "7.0.6"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://fortiguard.com/psirt/FG-IR-23-425",
                "refsource": "MISC",
                "name": "https://fortiguard.com/psirt/FG-IR-23-425"
            }
        ]
    },
    "solution": [
        {
            "lang": "en",
            "value": "Please upgrade to FortiPortal version 7.2.1 or above \nPlease upgrade to FortiPortal version 7.0.7 or above \nPlease upgrade to FortiPortal version 6.0.15 or above \nPlease upgrade to FortiPortal version 5.3.9 or above \n"
        }
    ],
    "impact": {
        "cvss": [
            {
                "version": "3.1",
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
            }
        ]
    }
}
"-Synchronized-Data." 2023-11-19 20:00:34 +00:00			`{`
"-Synchronized-Data." 2023-12-13 07:00:31 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2023-11-19 20:00:34 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2023-48791",`
"-Synchronized-Data." 2023-12-13 07:00:31 +00:00			`"ASSIGNER": "psirt@fortinet.com",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2023-11-19 20:00:34 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2023-12-13 07:00:31 +00:00			`"value": "An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field."`
			`}`
			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "Improper access control",`
			`"cweId": "CWE-77"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Fortinet",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "FortiPortal",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
			`"version_value": "7.2.0"`
			`},`
			`{`
			`"version_affected": "<=",`
			`"version_name": "7.0.0",`
			`"version_value": "7.0.6"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"url": "https://fortiguard.com/psirt/FG-IR-23-425",`
			`"refsource": "MISC",`
			`"name": "https://fortiguard.com/psirt/FG-IR-23-425"`
			`}`
			`]`
			`},`
			`"solution": [`
			`{`
			`"lang": "en",`
			`"value": "Please upgrade to FortiPortal version 7.2.1 or above \nPlease upgrade to FortiPortal version 7.0.7 or above \nPlease upgrade to FortiPortal version 6.0.15 or above \nPlease upgrade to FortiPortal version 5.3.9 or above \n"`
			`}`
			`],`
			`"impact": {`
			`"cvss": [`
			`{`
			`"version": "3.1",`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "HIGH",`
			`"baseScore": 7.9,`
			`"baseSeverity": "HIGH",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "LOW",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"`
"-Synchronized-Data." 2023-11-19 20:00:34 +00:00			`}`
			`]`
			`}`
			`}`