CRITICAL🇵🇱 Wersja polska

CVE-2023-40714

CVSS 9.9v3.1pub. 2025-04-02upd. 2025-07-15

A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements

🤖 AI Analysis
How it works

An attacker with basic system access (low privileges) can upload specific GUI elements containing crafted relative paths (relative path traversal, CWE-23). The application mechanism does not properly validate the uploaded paths, which allows files to be placed outside the permitted directory. As a result, the attacker is able to obtain a higher level of privileges in the system.

Impact

Successful exploitation of the vulnerability allows an attacker to escalate privileges, potentially leading to complete takeover of the FortiSIEM system with violation of data confidentiality, integrity, and availability.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references published by Fortinet at https://fortiguard.com/psirt/FG-IR-23-085

Who is affected

Fortinet FortiSIEM in versions: 7.0.0, 6.7.0 to 6.7.2, 6.6.0 to 6.6.3, 6.5.1, and 6.5.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Fortinet Fortisiem

    APP
    Fortinet
    7.0.06.4.0 – 6.5.16.6.0 – 6.6.36.7.0 – 6.7.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-64155CRITICAL9.8PL ✓ten sam produkt

Command injection w Fortinet FortiSIEM — RCE przez TCP

CVE-2025-25256CRITICAL9.8PL ✓ten sam produkt

Krytyczny pre-auth command injection w Fortinet FortiSIEM (RCE)

CVE-2024-23108CRITICAL10.0PL ✓ten sam produkt

Command injection w Fortinet FortiSIEM — nieautoryzowane wykonanie kodu przez API

CVE-2024-23109CRITICAL10.0PL ✓ten sam produkt

Command Injection w Fortinet FortiSIEM umożliwiający zdalne wykonanie kodu

CVE-2023-36553CRITICAL9.8ten sam produkt

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet Forti...