Unverified Password Change in FortiADC - CVE-2022-27484

 

Unverified Password Change in FortiADC - CVE-2022-27484

Published: August 2, 2022


Vulnerability identifier: #VU65982
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-27484
CWE-ID: CWE-620
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiADC

Detailed vulnerability description

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to unverified password change in GUI interface. An attacker with access to victim's session can bypass the Old Password check in the password change form and set a new password without knowledge of the old password.


How to mitigate CVE-2022-27484

Install updates from vendor's website.

Sources