CVE-2024-21761 - Vulnerability Details - OpenCVE

An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00239.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortiportal

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiportal::::::::
	cpe:2.3:a:fortinet:fortiportal:7.2.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-19375	An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.

Fixes

Solution

Please upgrade to FortiPortal version 7.2.1 or above Please upgrade to FortiPortal version 7.0.7 or above

Workaround

No workaround given by the vendor.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-24-016

History

No history.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2024-03-12T15:09:16.653Z

Updated: 2024-08-12T18:03:23.595Z

Reserved: 2024-01-02T10:15:00.527Z

Link: CVE-2024-21761

Vulnrichment

Updated: 2024-08-01T22:27:36.303Z

NVD

Status : Modified

Published: 2024-03-12T15:15:48.740

Modified: 2024-11-21T08:54:57.477

Link: CVE-2024-21761

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21761", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2024-01-02T10:15:00.527Z", "datePublished": "2024-03-12T15:09:16.653Z", "dateUpdated": "2024-08-12T18:03:23.595Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiPortal", "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.6", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-03-12T15:09:16.653Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-285", "description": "Improper access control", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPortal version 7.2.1 or above \nPlease upgrade to FortiPortal version 7.0.7 or above \n"}], "references": [{"name": "https://fortiguard.com/psirt/FG-IR-24-016", "url": "https://fortiguard.com/psirt/FG-IR-24-016"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.303Z"}, "title": "CVE Program Container", "references": [{"name": "https://fortiguard.com/psirt/FG-IR-24-016", "url": "https://fortiguard.com/psirt/FG-IR-24-016", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "fortinet", "product": "fortiportal", "cpes": ["cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "7.2.0", "status": "affected"}]}, {"vendor": "fortinet", "product": "fortiportal", "cpes": ["cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "7.0.0", "status": "affected", "lessThanOrEqual": "7.0.6", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-23T04:00:54.328319Z", "id": "CVE-2024-21761", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:03:23.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-24-016", "name": "https://fortiguard.com/psirt/FG-IR-24-016", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.303Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-23T04:00:54.328319Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiportal", "versions": [{"status": "affected", "version": "7.2.0"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:*"], "vendor": "fortinet", "product": "fortiportal", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.6"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:03:17.800Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Fortinet", "product": "FortiPortal", "versions": [{"status": "affected", "version": "7.2.0"}, {"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.6"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please upgrade to FortiPortal version 7.2.1 or above \nPlease upgrade to FortiPortal version 7.0.7 or above \n"}], "references": [{"url": "https://fortiguard.com/psirt/FG-IR-24-016", "name": "https://fortiguard.com/psirt/FG-IR-24-016"}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper access control"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2024-03-12T15:09:16.653Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21761", "state": "PUBLISHED", "dateUpdated": "2024-08-12T18:03:23.595Z", "dateReserved": "2024-01-02T10:15:00.527Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2024-03-12T15:09:16.653Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:*", "matchCriteriaId": "281311DE-FCED-4AB9-8D54-EBD0C8FE53B4", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "2C7F7D4E-DE62-491A-9C00-EAD2595BF2D7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload."}, {"lang": "es", "value": "Una vulnerabilidad de autorizaci\u00f3n inadecuada [CWE-285] en los informes de FortiPortal versi\u00f3n 7.2.0 y versiones 7.0.6 e inferiores puede permitir a un usuario descargar informes de otras organizaciones mediante modificaciones en el payload de la solicitud."}], "id": "CVE-2024-21761", "lastModified": "2024-11-21T08:54:57.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@fortinet.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-12T15:15:48.740", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-24-016"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-24-016"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}