Permissions, Privileges, and Access Controls in Fortinet, FortiOS



Published: 2013-06-25 | Updated: 2020-08-11
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2013-4604
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		FortiOS
Operating systems & Components / Operating system

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU42771

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4604

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote #AU# to read and manipulate data.

Fortinet FortiOS before 5.0.3 on FortiGate devices does not properly restrict Guest capabilities, which allows remote authenticated users to read, modify, or delete the records of arbitrary users by leveraging the Guest role.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiOS: 5.0.1

External links

http://www.fortiguard.com/advisory/FGA-2013-20/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###