Unverified Password Change in FortiADC - CVE-2022-27484
Published: August 2, 2022
Vulnerability identifier: #VU65982
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-27484
CWE-ID: CWE-620
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiADC
FortiADC
Detailed vulnerability description
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to unverified password change in GUI interface. An attacker with access to victim's session can bypass the Old Password check in the password change form and set a new password without knowledge of the old password.
How to mitigate CVE-2022-27484
Install updates from vendor's website.