A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00442.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fortinet
  • Fortiai
  • Fortimail
  • Fortindr
  • Fortirecorder
  • Fortiswitch
  • Fortivoice

Configuration 1 [-]

OR cpe:2.3:a:fortinet:fortiai:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiai:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortindr:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortindr:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortirecorder:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortirecorder:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortirecorder:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortirecorder:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-31989 A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.
Fixes

Solution

Please upgrade to FortiVoice version 7.0.0 or above Please upgrade to FortiVoice version 6.4.8 or above Please upgrade to FortiVoice version 6.0.12 or above Please upgrade to FortiRecorder version 7.0.0 or above Please upgrade to FortiRecorder version 6.4.3 or above Please upgrade to FortiRecorder version 6.0.12 or above Please upgrade to FortiSwitch version 7.2.0 or above Please upgrade to FortiSwitch version 7.0.5 or above Please upgrade to FortiSwitch version 6.4.11 or above Please upgrade to FortiNDR version 7.2.0 or above Please upgrade to FortiNDR version 7.1.1 or above Please upgrade to FortiNDR version 7.0.5 or above Please upgrade to FortiMail version 7.2.0 or above Please upgrade to FortiMail version 7.0.4 or above Please upgrade to FortiMail version 6.4.7 or above

Workaround

No workaround given by the vendor.

References
Link Providers
https://fortiguard.com/psirt/FG-IR-22-038 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2024-08-03T05:32:57.924Z

Reserved: 2022-03-21T16:03:48.575Z

Link: CVE-2022-27488

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-12-13T07:15:10.910

Modified: 2024-11-21T06:55:49.453

Link: CVE-2022-27488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.