Details of VAR-202312-1940

ID

VAR-202312-1940

CVE

CVE-2022-27488

TITLE

Cross-site request forgery vulnerability in multiple Fortinet products

Trust: 0.8

sources: JVNDB: JVNDB-2022-024746

DESCRIPTION

A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests. FortiAI firmware, FortiMail , FortiNDR A cross-site request forgery vulnerability exists in multiple Fortinet products.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-27488 // JVNDB: JVNDB-2022-024746

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	7.0.3	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	6.4.6	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	lte	version:	6.4.2	Trust: 1.0
vendor:	fortinet	model:	fortivoice	scope:	lte	version:	6.4.7	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortindr	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lte	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	6.0.12	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiai	scope:	eq	version:	1.1.0	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	gte	version:	2.7.0	Trust: 1.0
vendor:	fortinet	model:	fortindr	scope:	lte	version:	7.0.4	Trust: 1.0
vendor:	fortinet	model:	fortiai	scope:	eq	version:	1.5.3	Trust: 1.0
vendor:	fortinet	model:	fortivoice	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	lte	version:	6.0.11	Trust: 1.0
vendor:	fortinet	model:	fortivoice	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	lte	version:	2.7.7	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lte	version:	6.4.10	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	lte	version:	6.2.9	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	lte	version:	2.6.3	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	fortivoice	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortimail	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lte	version:	6.2.7	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	lte	version:	6.0.7	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortiswitch	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortindr	scope:	eq	version:	7.1.0	Trust: 1.0
vendor:	fortinet	model:	fortirecorder	scope:	gte	version:	2.6.0	Trust: 1.0
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	6.2.0 to 6.2.7	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	7.0.0 to 7.0.4	Trust: 0.8
vendor:	フォーティネット	model:	fortindr	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortirecorder	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	6.0.0 to 6.0.7	Trust: 0.8
vendor:	フォーティネット	model:	fortimail	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiswitch	scope:	eq	version:	6.4.0 to 6.4.10	Trust: 0.8
vendor:	フォーティネット	model:	fortivoice	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortiai	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-024746 // NVD: CVE-2022-27488

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-27488
value:	HIGH
Trust: 1.0
psirt@fortinet.com:	CVE-2022-27488
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-27488
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2022-27488
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2022-27488
baseSeverity:	HIGH
baseScore:	8.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.5
version:	3.1
Trust: 1.0
NVD:	CVE-2022-27488
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-024746 // NVD: CVE-2022-27488 // NVD: CVE-2022-27488

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.0
problemtype:	Cross-site request forgery (CWE-352) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-024746 // NVD: CVE-2022-27488

PATCH

title:

FG-IR-22-038

url:

https://www.fortiguard.com/psirt/FG-IR-22-038

Trust: 0.8

sources: JVNDB: JVNDB-2022-024746

EXTERNAL IDS

db:	NVD	id:	CVE-2022-27488	Trust: 2.6
db:	JVNDB	id:	JVNDB-2022-024746	Trust: 0.8

sources: JVNDB: JVNDB-2022-024746 // NVD: CVE-2022-27488

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-22-038	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2022-27488	Trust: 0.8

sources: JVNDB: JVNDB-2022-024746 // NVD: CVE-2022-27488

SOURCES

db:	JVNDB	id:	JVNDB-2022-024746
db:	NVD	id:	CVE-2022-27488

LAST UPDATE DATE

2024-08-14T13:41:21.392000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-024746	date:	2024-01-16T07:06:00
db:	NVD	id:	CVE-2022-27488	date:	2024-01-18T15:48:06.043

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-024746	date:	2024-01-16T00:00:00
db:	NVD	id:	CVE-2022-27488	date:	2023-12-13T07:15:10.910