Main Vulnerability Database Vulnerabilities #VU81969

Information disclosure in FortiOS - CVE-2023-37935

Published: October 12, 2023

Vulnerability identifier: #VU81969

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-37935

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiOS

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to authentication tokens are passed via HTTP GET parameters in plain text in the FortiOS SSL VPN component. A remote attacker with ability to access parameters of HTTP GET request (e.g. by accessing proxy logs) can gain access to sensitive information.

How to mitigate CVE-2023-37935

Install updates from vendor's website.

Sources

https://fortiguard.com/psirt/FG-IR-23-120

Information disclosure in FortiOS - CVE-2023-37935

Detailed vulnerability description

How to mitigate CVE-2023-37935

Sources

Please verify you're human